Basic Concepts
Policy Administration – Policy Decission – ISE (Identity Services Engine) Policy Enforcement – Network Access Devices – Switches, Wireless, Routers Policy Information – NAC Agent, NAC Web Agent, 802.1X Supplicant (AnyConnect)
Authentication Methods:
- 802.1x (NAC Agent, 802.1x supplicant)
- MAC Authentication bypass (MAB) – Database of the MAC Address of the devices that don’t support 802.1x (printers, cameras)
- Web Authentication
- VPN Authentication
Authorization Methods:
- ACLs (dACL, Named ACL, time based ACL)
- VLANs assignation
- Security Group Access – Cisco TrustSec – SGT – Security Group Tagging
Change Of Authorization – Method to change an endpoint authorization status after meeting some conditions, such as checking the security compliance of the endpoint. Needs to be supported by the Network Access Device.
Radius: standard-based for AAA services.
TACACS+: AAA protocol developed by Cisco. Supports command by command basis authorization. Provides accounting for device changes audit.
Current version of ISE: 1.3 (November 2014)
ISA Deployment
ISE can run on 3415, 3455, 3495 servers or VMWare
People:
- PAN – Policy Administration Node
- PSN – Policy Service Node
- MNT – Monitoring and Troubleshooting Node
Failover behavior
Distributed deployment, up to 250.000 endpoints
- Two boxes with Admin roles
- Two boxes with Monitoring roles
- Up to 40 PSNs
PSNs can be clusterized in a L2 level.
NAD – Network Access Devices will have the prioritized list of the PSNs that they will use
802.1x
802.1x Host Modes
- Single Host Mode – Only one device (MAC Address) per port. Second causes unauthorized port state.
- Multiple Host mode – (hub usage). first device defines authentication, other devices get same access.
- Multiple Domain Authentication (MDA) mode – Data Voice. Independent authentication for each device.
- Multiple Authentication mode – Authenticates every MAC address. Same VLAN but ACL per device.
Deployment modes
- Monitor mode Before authentication: Authentication Open Full access After authentication: Full access configuration: authentication open
- Low impact mode Before authentication: Authentication OPEN Pre ACL to limit the traffic After authentication: Full access or controlled access through ACL configuration: authentication open ip access-group default-ACL in
- Closed mode Before authentication: No access allowed. Only EAPOL allowed. After authentication: Full access or controlled access through AC
EAP
EAP – Extensible Authentication Protocol
End user speaks 802.1x with the Network Access Device through a Suplicant. (EAPOL)
Network Access Device speaks Radius with the ISE PSN node. (EAP/Radius)
System uses EAP-X end to end
- EAP-FAST: Symetric Cryptography. It uses PAC keys (protected access credentials) that are exchange between endpoint and PSN. They could be eavesdropped. The keys are used to create a tunnel to send the credentials.
- EAP-PEAP: Only a certificate on the PSN is required. The certificate is delivered to the endpoint. The endpoint uses the public key of the PSN certificate to create a session key and setup a tunnel to send the User and Password through it
- EAP-TLS: Both PSN and endpoint requires a certificate. No encryption is required as they will do an exchange of the public keys. Downside is the big quantity of certificates to be managed.
- EAP-MD5 – CHAP: Challange – response. No server authentication. Vulnerable to MITM attacks
- EAP-MSCHAPv2: Challange – response with hashing. Active Directory Environment.
Switch configuration
aaa new-model
endpoint security eset endpoint security book