0% found this document useful (0 votes)

143 views90 pages

07 - Cisco Secure Network Access Solutions (Cisco ISE)

Cisco Secure Network Access utilizes a suite of services embedded in Cisco Catalyst switches and WLCs, enabling strong authentication and policy-based authorization. The foundation of this solution is IEEE 802.1X, which facilitates network access control through a series of components including supplicants, authenticators, and authentication servers. Cisco ISE acts as a centralized platform for managing authentication, authorization, and accounting services, ensuring secure access to network resources while maintaining compliance and managing guest access.

Uploaded by

Ramez Safwat

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

143 views90 pages

07 - Cisco Secure Network Access Solutions (Cisco ISE)

Uploaded by

Ramez Safwat

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

07- Cisco Secure Network Access Solutions (Cisco ISE)

Ahmed Sultan
Senior Technical Instructor
ahmedsultan.me/about
1
Cisco Secure Network Access

• Cisco secure network access is characterized by a suite of services that are

embedded in Cisco Catalyst switches and Cisco WLCs.
• Cisco ISE uses infrastructure services provided by switches and WLCs to allow you
to implement the following services:

▪ Strong authentication using IEEE 802.1X, MAB, and Web Authentication

▪ Policy-based authorization via downloadable ACLs, VLAN assignment, or SGTs.

CCNP Security | SCOR (350-701) © egyptnetriders.com 2

Cisco Secure Network Access (cont.)

• The Cisco secure network access solution promotes authentication to access the
network.
• Authentication serves as the basis for differentiating users and/or devices,
providing varying levels of access to networked resources based on corporate
access policy.

CCNP Security | SCOR (350-701) © egyptnetriders.com 3

Cisco Secure Network Access (cont.)

• The foundation for Cisco Secure Network Access is IEEE 802.1X, a port-based
authentication and access control protocol, which can be applied at a physical
switch port on the wired network or on a wireless LAN (WLAN) on Cisco WLC.
• In both wired and wireless domains, clients will require the installation of a Cisco
802.1X supplicant, the configuration of a native operating system supplicant or,
in the case of Linux clients, the installation of an open-source supplicant.
• Wireless users generally expect that they will need to authenticate before being
granted access to the corporate network.
• As a result, populations of wireless users are good candidates for initial Cisco
secure network access deployments.

CCNP Security | SCOR (350-701) © egyptnetriders.com 4

Cisco Secure Network Access Components
The main components and functions of secure network access using 802.1X are:

▪ 802.1X client supplicant software: Each client that connects to a wired or wireless network
under 802.1X control requires supplicant software. The supplicant is responsible for initiating
an authentication session with the authenticator.

▪ 802.1X authenticator: The 802.1X authenticator, or also called network access device (NAD),
determines the pre-authorization traffic policy, forwards supplicant credentials to the
authentication server, and enforces network access policy as prescribed by the
authentication server.

▪ 802.1X authentication server: The 802.1X authentication server is responsible for validating
the access credentials forwarded by the authenticator and performs an identity-based policy
lookup. Access restrictions are then pushed to the authenticator, or the NAD. The credentials
that are supplied by the client can take the form of digital certificates, passwords, one-time
passwords (OTPs) supplied by a token, or a client MAC address.

CCNP Security | SCOR (350-701) © egyptnetriders.com 5

Cisco Secure Network Access Components (cont.)

The main components and functions of secure network access using 802.1X (cont.)

CCNP Security | SCOR (350-701) © egyptnetriders.com 6

AAA Role in Cisco Secure Network Access Solution

• To authenticate users and devices, the integration of authentication,

authorization, and accounting (AAA) services are required.

• Authentication can be compared to being stopped at the office lobby by a security guard,
After you provide a driver’s license to validate that you are on the guest list, you are
given an access badge.
• Authorization relates to which doors the access badge opens, Your access is restricted by
the badge policy.
• Accounting is the system that tracks your movements through the building and records
which doors you accessed with your badge and whether access was permitted or denied.

CCNP Security | SCOR (350-701) © egyptnetriders.com 7

AAA Role in Cisco Secure Network Access Solution (cont.)

• Here, Cisco ISE acts as AAA server in Cisco Identity Based Networking Services
(IBNS) deployments and provides authentication, authorization, and accounting
services for controlled network access.

CCNP Security | SCOR (350-701) © egyptnetriders.com 8

AAA Role in Cisco Secure Network Access Solution (cont.)

• The basic phases of Cisco secure network access wired port control are as
follows:

1. The supplicant on the end user machine announces itself to the authenticator
(switch).
2. The authenticator (switch) prompts the supplicant for authentication credentials.
3. The supplicant provides credentials to the authenticator (switch), The credentials
are provided by the supplicant to the authenticator (switch) via the Extensible
Authentication Protocol (EAP), EAP supports various authentication methods,
Some of the most commonly deployed EAP authentication types include EAP-MD5,
EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST.

CCNP Security | SCOR (350-701) © egyptnetriders.com 9

AAA Role in Cisco Secure Network Access Solution (cont.)

• The basic phases of Cisco secure network access wired port control
are as follows (cont.)

4. The authenticator (switch) forwards the credentials to the authentication server

(Cisco ISE), The authenticator (switch) proxy the EAP data from the supplicant to
the authentication server (Cisco ISE) using RADIUS encapsulation.
5. The authentication server (Cisco ISE) validates the credentials and makes a policy
decision that is based on the supplied identity.
6. The authentication server (Cisco ISE) instructs the authenticator (switch) to enforce
policy on the switch port.
7. Authenticator (switch) enforces policy.

CCNP Security | SCOR (350-701) © egyptnetriders.com 10

Cisco Identity Services Engine

• Cisco ISE is a centralized network access control and policy enforcement platform.
With it you gain centralized policy management solution to control network
access and usage policies from a single location.

CCNP Security | SCOR (350-701) © egyptnetriders.com 11

Cisco Identity Services Engine (cont.)

• Cisco ISE gathers key information about user and device access, and uses this
information to control end user network access and administrative network
device access, regardless of connection type.
• Wired, wireless, and remote users can connect directly or through VPNs.
• Whether connected remotely or directly to corporate resources, users can
receive the same unified access and control.
• Cisco ISE also delivers guest and enterprise mobility management capabilities
that regulate access to Internet, internal corporate network and resources.

CCNP Security | SCOR (350-701) © egyptnetriders.com 12

Cisco Identity Services Engine (cont.)

• Cisco ISE can also use gathered information to ensure regulatory compliance to
various government and industry standards.
• This information can also be shared among Cisco Eco system partner devices over
pxGrid (Plaftorm Exchange Grid), to enhance the capabilities for services
including Security Information and Event Management (SIEM), Mobile Device
Management (MDM), Network Behavior Analysis (NBA), intrusion prevention
systems (IPS), and much more.
• pxGrid is an open, scalable, and IETF standards-driven API platform helps
automate security to get answers and contain threats faster.

CCNP Security | SCOR (350-701) © egyptnetriders.com 13

Cisco Identity Services Engine (cont.)

• Integrated RADIUS services inside Cisco ISE, enable AAA, which is typically used
for end user network access.
• User identities can be validated against an internal Cisco ISE database, back-end
external Microsoft Active Directory, or LDAP servers.

CCNP Security | SCOR (350-701) © egyptnetriders.com 14

Cisco Identity Services Engine (cont.)

Cisco ISE Posture Compliance

1. Authentication determines whether the user can access the network.
2. After the Cisco ISE RADIUS service verifies user identity and processes account
attributes, it can apply an authorization profile to the session.
3. Cisco ISE sends this authorization policy to the NAD in a RADIUS Access-Accept
reply.
4. This authorization policy controls what actions a user can perform.
5. Accounting tracks user actions, when and where they logged in, what they
accessed, and more.

CCNP Security | SCOR (350-701) © egyptnetriders.com 15

Cisco Identity Services Engine (cont.)

6. Posture assessment allows you to validate and maintain endpoint security

capabilities.
7. You can configure initial RADIUS authentication to grant only limited client
access.
8. After initial client access, posture assessment can validate endpoint operating
system and patch versions, virus protection, and other compliance
requirements.
9. If the device meets these criteria, elevated access can be granted by using
RADIUS Change of Authorization (CoA) massaging.
10. If devices are noncompliant, you can engage remediation functions.

CCNP Security | SCOR (350-701) © egyptnetriders.com 16

Cisco Identity Services Engine (cont.)

• This feature helps to ensure that endpoints conform defined security standards.

CCNP Security | SCOR (350-701) © egyptnetriders.com 17

Cisco Identity Services Engine (cont.)

Cisco ISE Profiling Service

1. Initial access: Profiling services enable Cisco ISE to determine the endpoint
device type and capabilities. After initial authentication, devices can be placed
in an "unknown" category.

2. Classification/profiling: The profiling service will then probe key characteristics,

such as interactions with HTTP, Domain Name System (DNS), DHCP, and RADIUS
services. It can thus determine the device type and place it in a defined
category such as Android, Apple, or iPad. An internal endpoint database stores
the profiling results to streamline subsequent authorization and categorization.
CCNP Security | SCOR (350-701) © egyptnetriders.com 18
Cisco Identity Services Engine (cont.)

Cisco ISE Profiling Service (cont.)

3. Match device type to other context: Cisco ISE is now aware of the contextual
what, and matches it with who, how, where, and when.
4. Granular Policy: You can now use this context to create very granular policy.
When user "JoeD" logs in using his personal iPad from a public café, he may
have limited access. But when he logs in using his corporate laptop from his
desk at the office, he gains elevated levels of access.

CCNP Security | SCOR (350-701) © egyptnetriders.com 19

Cisco Identity Services Engine (cont.)

Cisco ISE Profiling Service (cont.)

CCNP Security | SCOR (350-701) © egyptnetriders.com 20

Cisco Identity Services Engine (cont.)

Cisco ISE Guest Management

• Cisco ISE provides a complete system for guest life-cycle management.

• Guest users can access the network for a limited time by using either the
Sponsored Guest Portal, Self-Registered Guest Portal, or Hotspot Guest Portal.
• Administrators can customize the portals and policy based on the specific needs
of the enterprise.

CCNP Security | SCOR (350-701) © egyptnetriders.com 21

Cisco Identity Services Engine (cont.)

Cisco ISE Guest Management (cont.)

CCNP Security | SCOR (350-701) © egyptnetriders.com 22

Cisco TrustSec

• Cisco TrustSec simplifies the provisioning and management of secure access to

network services and applications.
• It defines policies using logical policy groupings, so secure access is consistently
maintained even as resources are moved in mobile and virtualized networks.

CCNP Security | SCOR (350-701) © egyptnetriders.com 23

Cisco TrustSec (cont.)

• Cisco TrustSec access control is implemented using ingress tagging and egress
enforcement.
• At the ingress point to the Cisco TrustSec domain, traffic from the source is
tagged with an Security Group Tag (SGT) containing the security group number of
the source entity.
• At the egress point of the Cisco TrustSec domain, an egress device uses the
source SGT and the security group number of the destination entity (the
destination SG,or DGT) to determine which access policy to apply from the SGACL
policy matrix.

CCNP Security | SCOR (350-701) © egyptnetriders.com 24

Cisco TrustSec (cont.)

• The previous figure provides an example of using SGACL to control access:

1. Cisco ISE informs the NAD to assign an SGT of 5 for all packets from
Employees and an SGT of 4 for all Managers.
2. Cisco ISE dynamically pushes these tags to the network access devices
(NADs) via SGT transport.
3. The central policy indicates that Employees (SGT=5) may access Applications
servers (SGT=10), but not financial servers (SGT=14), while Managers can
access all servers.
4. To enforce this policy, Cisco ISE pushes SGACLs down to the switches and
SGFW configuration to the firewalls.

CCNP Security | SCOR (350-701) © egyptnetriders.com 25

802.1X and EAP

• EAP is a flexible transport protocol used to carry arbitrary authentication

information, and not the authentication method itself (EAP supports a wide
selection of authentication methods).
• EAP is also media-independent, but typically runs over data link layers such as
PPP, IEEE 802.3 wired, or 802.11 wireless media.
• There are four EAP packet types defined in RFC 3748 and listed by the number
that is assigned to the code field of the EAP packet:
Code Field EAP Packet Type

1 Request

2 Response

3 Success

4 Failure

CCNP Security | SCOR (350-701) © egyptnetriders.com 26

802.1X and EAP (cont.)

• It is important to understand that EAP itself is a specification for the transport of

authentication and authorization mechanisms and not an authentication
protocol.

CCNP Security | SCOR (350-701) © egyptnetriders.com 27

802.1X and EAP (cont.)

• 802.1X defines the encapsulation of EAP over IEEE 802, which is known as EAPOL.
• When a switch port is configured to require 802.1X authentication, it is called a
controlled port.
• A controlled port, by default, does not allow any input on that port except for
EAPOL.
• The supplicant can only access network services beyond the port after the
supplicant authenticates.

CCNP Security | SCOR (350-701) © egyptnetriders.com 28

802.1X and EAP (cont.)

• The role of the authenticator is to enforce policies that are provided by the
authentication server, to serve as a translator between Layer 2 EAPOL messages
from the supplicant, and to encapsulate EAP in Layer 3 RADIUS messages to the
authentication server, Cisco ISE in this example.

CCNP Security | SCOR (350-701) © egyptnetriders.com 29

EAP Methods

• The authentication protocol that is used within EAP authentication and

authorization mechanism is defined by the used EAP method.

• There are two types of EAP methods:

1. Tunnel EAP
2. Non-tunnel EAP.

CCNP Security | SCOR (350-701) © egyptnetriders.com 30

EAP Methods (cont.)

• In the simple, Non-tunnel EAP architecture, a single EAP session exists between
the supplicant and the authentication server.
• In this architecture, the supplicant sends its identity (name) in the clear to the
authentication server.

CCNP Security | SCOR (350-701) © egyptnetriders.com 31

EAP Methods (cont.)

• This step is followed by an exchange that authenticates the authentication server

to the user, and the user to the authentication server.
• If the user is successfully authenticated, the authentication server signals success
to the authenticator via the RADIUS protocol.
• This mode is simple to understand, but has the limitation of transmitting the user
identity (but not the credentials) in the clear.
• These EAP architectures cannot easily support one-time passwords, because
these passwords do not support challenge-response methods that are typically
used inside the EAP authentication exchange.

CCNP Security | SCOR (350-701) © egyptnetriders.com 32

EAP Methods (cont.)

• To overcome these limitations, you can use a tunneled EAP architecture, in which
an outer EAP encapsulates an inner EAP.
• The outer EAP provides server authentication, and a cryptographically secure
tunnel for the inner EAP method to run in.

CCNP Security | SCOR (350-701) © egyptnetriders.com 33

EAP Methods (cont.)

• Typical outer EAPs are Protected Extensible Authentication Protocol (PEAP),

• Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling
(EAP-FAST).
• Extensible Authentication Protocol-Microsoft Challenge Handshake
Authentication Protocol version 2 (EAP-MSCHAPv2),
• Extensible Authentication Protocol-Transport Layer Security (EAP-TLS),
• Extensible Authentication Protocol-Generic Token Card (EAP-GTC) are commonly
used for the inner EAP.

CCNP Security | SCOR (350-701) © egyptnetriders.com 34

EAP Methods (cont.)

• EAP-TLS and EAP-MSCHAPv2, tunneled inside PEAP or EAP-FAST are the most
widely used EAP methods to deploy secure network access.
• However, EAP functionality varies based on the EAP method selected and it is
important to consider the capabilities of each EAP method when making a
selection for a new implementation.
• For example, if there is a requirement to use digital certificates for client
authentication, EAP-TLS is the only non-tunnel method that satisfies the
requirement.

CCNP Security | SCOR (350-701) © egyptnetriders.com 35

Describing 802.1X Authentication

• RADIUS Initially developed in 1991 by Livingston to provide authentication,

authorization, and accounting (AAA) services for its line of remote access servers
(RASs), RADIUS has been extended and expanded to service the AAA needs of a
wide variety of devices and requirements.

CCNP Security | SCOR (350-701) © egyptnetriders.com 36

Describing 802.1X Authentication (cont.)

• RADIUS defines four packet types that are used to authenticate and authorize
user communications.
• In the context of 802.1X, these four packet types are used to carry EAP messages.

CCNP Security | SCOR (350-701) © egyptnetriders.com 37

Describing 802.1X Authentication (cont.)
RADIUS Packet Types Description

Every RADIUS session must begin with an Access-Request.

The request usually includes a username, but must include
Access-Request information about the network access server (NAS) and some
form of password. This packet type is always sent to the
RADIUS server.

This packet type is used to convey the configuration

information to the NAS to provision services for the user. In
Access-Accept the context of 802.1X, this could include a DACL, or VLAN
assignment. This packet type is always sent from the RADIUS
server.

If any attribute received by the RADIUS server is not

Access-Reject acceptable, an Access-Reject packet must be sent to the NAS.
This packet type is always sent from the RADIUS server.

Upon receipt of an Access-Request, the RADIUS server may

issue a challenge to the user. In an EAP-MD5 exchange, the
RADIUS server will use this packet type to send the challenge
Access-Challenge string to the user. The proper response to an Access-
Challenge packet is an Access-Request packet with the
answer to the challenge. This packet type is always
sent from the RADIUS server.

CCNP Security | SCOR (350-701) © egyptnetriders.com 38

Describing 802.1X Authentication (cont.)

• In the context of 802.1X, RADIUS is used as a transport mechanism for EAP

messages, sourced from 802.1X supplicant and sent to authentication server.
• Note that EAP messages are transported inside RADIUS only between an
authentication and authentication server.

CCNP Security | SCOR (350-701) © egyptnetriders.com 39

Describing 802.1X Authentication (cont.)

• EAP messages from the supplicant to the authenticator are exchanged as Layer 2
EAPOL packets.
• Because the authentication server speaks the RADIUS protocol and is likely Layer
3 adjacent to the authenticator, the authenticator encapsulates EAP messages in
RADIUS.
• The authenticator acts as a translating transit point for EAP and RADIUS.
• Any EAP methods that are used by the client must be also be configured in the
RADIUS authentication server.

CCNP Security | SCOR (350-701) © egyptnetriders.com 40

Describing 802.1X Authentication (cont.)

• The authentication can be initiated by the supplicant or the authenticator.

• The authenticator initiates authentication when the link state changes from down
to up, or periodically as long as the port remains up and unauthenticated.
• The authenticator sends an EAP request or identity frame to the client to request
its identity.
• Upon receipt of the frame, the supplicant responds with an EAP response or
identity frame.
• However, if during bootup, the supplicant does not receive an EAP request or
identity frame from the authenticator, the supplicant can initiate authentication
by sending an EAPOL start frame, which prompts the authenticator to request the
identity of the client.

CCNP Security | SCOR (350-701) © egyptnetriders.com 41

Describing 802.1X Authentication (cont.)

• When the supplicant provides its identity, the authenticator begins its role as the
intermediary and passes EAP frames between the supplicant and the
authentication server until authentication succeeds or fails.
• If the authentication succeeds, the authenticator port is authorized.

CCNP Security | SCOR (350-701) © egyptnetriders.com 42

RADIUS Change of Authorization

• The RADIUS CoA feature provides a mechanism to change the attributes of a AAA
session after it is authenticated.
• When a policy changes for a user or user group on a AAA server, such as Cisco ISE,
the server can send unsolicited RADIUS CoA request to reinitialize authentication
and apply the new policy.

CCNP Security | SCOR (350-701) © egyptnetriders.com 43

RADIUS Change of Authorization
• Cisco ISE server heavily relies on RADIUS CoA. Without support for CoA on ISE
and Cisco IOS and IOS XE devices, and Cisco WLCs, the following services would
not be available:

• Central web authentication: CoA is used to change authorization session of a user after the
user authenticates via a captive guest portal.

• Client posturing: CoA is used to change authorization session of a user after Cisco ISE
determines posture status of the client.

• Client profiling: CoA is used to change authorization session of a device after Cisco ISE
determines profile and classification of the device.

• Rapid threat containment: CoA is used to change authorization session of a user if another
Cisco devices, such as Cisco Stealthwatch, or Cisco FirePower Next-Generation Firewall,
detects malicious event involving the user.

CCNP Security | SCOR (350-701) © egyptnetriders.com 44

RADIUS Change of Authorization

• The following figure displays a sample flow of RADIUS CoA for the purposes of
client posturing with Cisco ISE.

CCNP Security | SCOR (350-701) © egyptnetriders.com 45

Cisco Catalyst Switch 802.1X Configuration

• You can use a phased approach when deploying 802.1X.

• This phased approach helps you to determine the potential impact to devices,
adjust policy enforcement over time, and ensure a smooth transition to identity-
based policy services.

CCNP Security | SCOR (350-701) © egyptnetriders.com 46

Cisco Catalyst Switch 802.1X Configuration (cont.)
You can use these 802.1X deployment modes:

• Monitor (open) mode: Allows you to enable authentication across the wired infrastructure, without
affecting wired users or devices. administrators use the monitor mode to help ensure that all devices
are authenticating correctly, either with 802.1X or MAB. If a device is misconfigured or is missing an
802.1X supplicant, access will be allowed and logged. However, if authentication succeeds,
authorization (for example, Dynamic VLAN, Downloadable access control list (DACL)) can still be
applied.

• Low-impact mode: It allows selective transition from an open (nonfiltering) preauthorization method to
selective preauthorization. This function is provided by static port ACLs (Pre-ACL as shown in the
previous figure) that allow necessary services such as Dynamic Host Configuration Protocol (DHCP) and
Domain Name System (DNS) while blocking all other network access. Users connected to controlled
ports will receive additional access (based on policy) after successful authentication, based on DACL
that will override the static ACL on the port.

• High-security (closed) mode: It provides the highest level of controls by configuring the closed pre-
authorization port control. No traffic will be permitted on a port except EAPOL before authentication
and authorization.