#CiscoLiveLA 2017 Presentacion de Jerome Henry

Presentation Title
Presenter Name and Title
Session ID

Securely Designing
Your Wireless LAN for
Threat Mitigation,
Policy and BYOD
Jerome Henry, Principal Engineer, CCIE – 27450
BRKEWN-2005

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
What this session will cover…
• AP and WLC secure connection;
• wireless radio threats;
• secure/open SSID fundamentals;
• client secure connection options;
• CUWN and AireOS use cases
…and what it won’t…
• configuration details;
• version discrepancies;
• roadmap;
• IPv6;
• not too much for guests.
…except when it does.

For your reference
• There are slides in your PDF that will not be presented, or quickly presented.
• They are valuable, but included only “For your reference”.
For your
reference
For your
reference
BRKEWN-2005 4

• Secure the infrastructure
• Protecting the air
• Secure the clients
• Network Services
• Use cases
Agenda

Cisco Digital Network Architecture for mobility
Automation
• Plug n Play
• EasyQOS
• ISE: .1x, BYOD and Guest
Open APIs: Modular Aps with Restful APIs
Cloud Service Management
• CMX 10.x with Context and Guest
Platforms & Virtualization
Assurance
• Restful APIs on WLC
• Netflow Export
• Apple Network Optimization
& FastLane
Principles
• Modular AP’s with Restful API’s
• DNA Optimized Controllers: 3504, 5520, 8540
• Various VM Models: ESXi, KVM, HyperV, AWS
Insights and
Experiences
Automation
and Assurance
Security and
Compliance
Outcomes

WLAN portfolio with integrated security
PROTECT THE
CLIENTS
PROTECT THE
NETWORK
Integrated Security
within APs and WLCs
Advanced Security with Policies,
Segmentation, and Visibility
PROTECT THE
AIR
Cisco Trustworthy Systems
Certifications
(FIPS, common criteria, DoD UC APL)
TRUST
Identity PSK
TrustSec (with ISE)
Base WIPS
Rogue Detection
Clean AIr
Adaptive WIPS
Default best practices
802.11w, DTLS
Cisco Umbrella
Wireless LAN
Cisco Stealthwatch

Embedded
Security
Built for
Today’s Threats
Security Expertise
and Innovation
Evidence
of Trust
Organizations can no longer rely on
perimeter devices to protect the network
from cyber intrusions… There has never
been a greater need to improve network
infrastructure security
Alert TA16-251A, September 2016
“
”
Trustworthy Systems
Protect the Device
Learn more:
• Visit trust.cisco.com
• See: BRKARC-1010 “Protecting the Device:
Cisco Trustworthy Systems & Embedded Security”
• Meet the Engineer: Topic: “Security and Trust Architecture”

Cisco Trustworthy Systems Levels
Enterprise Wireless
Protects
the Network
Counterfeit
Protections
Image
Signing
Secure
Boot
Modern
Crypto
Hardware
Trust Anchor
Secure
Device
Onboarding
ISE Stealthwatch
Solution Level Attack Protection
IP Source Guard ACLs
WIPS/RogueDHCP Snooping Secure Transport
Protections Against Attack
802.11w,r,i TrustSec Netflow
Security
Culture
PSIRT
Advisories
Security
Training
Product
Security
Baseline
Threat
Modeling
Open Source
Registration
Supply Chain
Management
Umberlla
Learn more: BRKARC-1010 “Protecting the Device: Cisco Trustworthy Systems & Embedded Security”
Platform
Integrity

End to End Security: A Glimpse
AP
• Securing the Air through
accurate classification of Rogues
& Interference
• Secure communication with
other AP’s via 802.11w/MFP and
DTLS
• Security at the edge with AWIPS
Controller
Netflow Collection
Security & Insights
Lancope(NAAS)
CMX
Geo-fencing limits
access within
physical perimeter
ISE
Secure authentication with 802.1x
Securing personal devices BYOD Simple
Guest Deployment
Per Device & Application Policies
Easy segmentation with TrustSec
IOT Classification & Policy
Cisco Umbrella
Content filtering and
protection against
cyber-attacks
Switch
IOT Segmentation
with TrustSec
Devices
ISE + Meraki/Third party
MDM Prioritizes
applications
NAAE

Secure Infrastructure
Feature Highlights
Infrastructure
Hardening
Plug n Play
FIPS Support
Encryption
802.11
MFP, 802.11wCertificate storeBest Practices
Trustworthy Systems

Securing the infrastructure
• How to secure the AP connectivity
and access.
• How to secure the communication
between the WLC and the AP.
• How to secure the radio:
• intrusion detection/prevention;
• rogue access points;
• interferences.
CAPWAP
Access Point
(AP)
Wireless LAN Controller
(WLC)Data Encapsulation – UDP 5247
Control Messages – UDP 5246
BRKEWN-2005 14

Securing the AP-WLC communication
CAPWAP tunnels
BRKEWN-2010
Data DTLS
• CAPWAP Control encrypted by default
• CAPWAP Data encapsulated but not encrypted by default
• Option to encrypt data traffic for specific APs since 7.0
• Support for DTLS Data encryption between AP and WLC
• Performance impact: Without Data DTLS, avg vWLC throughput is 200Mbps. All
APs using Data DTLS, throughput is 100Mbps
CAPWAP
Data Plane
(DTLS) UDP 5247
Control Plane
DTLS, UDP 5246
ControllerAccess
Point
Wi-Fi Client

Manufacturer Installed Certificate (MIC)
CAPWAP Control
DTLS, UDP 5246
CAPWAP Data
(DTLS) UDP 5247
BRKEWN-2005 16

CAPWAP
Local Significant Certificate (LSC)
Your PKI
Example:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html
BRKEWN-2005 17

Out-of-Box
Berlin
AP GroupOut-of-Box
Out-of-Box
Out-of-
Box
Out-of-Box AP Group and RF Profile (v7.3+)
Berlin AP Group > Radios Enabled
Out-of-Box AP Group > Radios Disabled
Example:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01011101.html#ID2870
BRKEWN-2005 18

APIC-EM Plug-n-Play (PnP)
Site-2
PnP Server
WLC-2a
WLC-2b
WLC-3a
WLC-3b
Site-3
Site Product ID Serial # Hostname Configuration
Site-2 AIR-CAP3702I-A-
K9
RFD0XP2T02
5
Site-2-AP Site-2-Config
Site-3 AIR-CAP3702I-A-
K9
RFE0ZP2T026 Site-3-AP Site-3-Config
Configuration WLC AP Group AP Mode
Site-2-Config WLC-2a Site-2-Group AP-Site-2
Site-3-Config WLC-3a Site-3-Group AP-Site-3
WLC IP: WLC-2a
AP Name: Site-2-AP
AP Mode: Local
AP Group: Site-2-Group
WLC IP: WLC-3a
AP Name: Site-3-AP
AP Mode: FlexConnect
AP Group: Site-3-Group
AireOS 8.2

Berlin AP Group
APIC-EM Plug-n-Play (PnP)
APIC-EM
AP SN #123 > Config. File (WLC IP, Berlin AP Group, etc.)
AP
(SN #123)
WLC
AP
(SN #456)
APIC-EM IP in DHCP option 43
or DNS resolution for
pnpserver.<dhcp-domain-option>
AP PnP Deployment Guide:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html
AP SN #456 > Not in any Project list > Claim list
BRKEWN-2005 20
For secure provisioning of Access Points

Berlin AP Group > WLAN Id 17+
Default AP Group > WLAN Id 1-16
Default
Berlin
AP Group
Default AP Group and WLAN Id > 16
For your
reference
BRKEWN-2005 21

Wireless connection workflow
Endpoint
CAPWAP
Access Point
(AP)
Wireless LAN Controller
(WLC)Data Encapsulation – UDP 5247
Control Messages – UDP 5246802.11
Probe Request
Probe Response
Probe Request (forwarded)
Authentication Request (not for 802.1X, but in case of PSK)
Authentication Response
(Re) Association Request
(Re) Association Response
802.1X phase if enabled
EAPoL Keys exchange in case of PSK or 802.1X
Other identity services
IDS/wIPS
focus
BRKEWN-2005 22

AP control at the access layer
A few words on 802.1X
EAPoL Start
EAPoL Request Identity
Beginning
EAP-Response Identity: Printer
RADIUS Access Request
[AVP: EAP-Response: Printer]
EAP-Request: EAP-FAST
EAP-Response: EAP-FAST
RADIUS Access-Challenge
[AVP: EAP-Request EAP-FAST]
[AVP: EAP-Response: EAP-FAST]
Multiple
Challenge-
Request
Exchanges
Possible
Middle
EAP Success
RADIUS Access-Accept
[AVP: EAP Success]
[AVP: VLAN 10, dACL-n]
End
Layer 2 Point-to-(Multi)Point Layer 3 Link
Authenticator AuthC ServerSupplicant EAP over LAN
(EAPoL)
RADIUS
BRKEWN-2005 27

802.1X credentials for the AP *
(EAPoL)
RADIUS
Access Point
(AP)
AP# capwap ap dot1x username [USER] password [PWD]
* Not supported today on 1800/2800/3800 APs.
BRKEWN-2005 28

The FlexConnect challenge
(EAPoL)
RADIUS
FlexConnect AP
“needs” a trunk port.
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
authentication port-control auto
dot1x pae authenticator
...
802.1X (usually) needs
an access port.
BRKEWN-2005 29

The FlexConnect challenge
(EAPoL)
RADIUS
“Here I am.”
“What do you think?”
“Accept. Here is the interface template *.”
* IOS 15.2(2)E.
LABSEC-2004
cisco-av-pair=interface-template-name=FLEXCONNECT_AP_TRUNK_TEMPLATE
template FLEXCONNECT_AP_TRUNK_TEMPLATE
switchport trunk native vlan 100
switchport trunk allowed vlan 100,110,120,130
switchport mode trunk
spanning-tree portfast trunk
BRKEWN-2005 30

Security and Threat Mitigation

5GHz
Serving
2.4GHz
Serving
5/2.4GHz
Monitor
• Enabled by Dual 5GHz
• Adjust Radio Bands to Better Serve the
Environment
Security and Threat
Mitigation P2P
Blocking
Client Exclusion
awIPS, ELM
Rogue Detection
Local, Monitor,
Security Module
2800/3800
XOR Radio
FRA
Cisco CleanAir®
Off-Channel
Scanning
Classification
TKIP Encryption
8.3 MR1
EDRM
Security and Threat
Mitigation

wIPS Process Flow and Component Interactions
33Presentation ID
1
WLC PI (Optional)wIPS
AP
2 3
1
WLCwIPS
AP
2 3
wIPS
MSE 8.x
4
PI
Solution
Components
Functions Licensing
Base WIPS WLC, AP and
Prime Infrastructure
(optional)
Supports 17 native
signatures.
Supports rogue
detection &
containment
Does not require
any licensing
Adaptive WIPS WLC, AP, MSE and
Prime Infrastructure
Offers
comprehensive
over the air threat
detection &
mitigation
Licensed feature on
MSE
Cisco WIPS solution=
Base WIPS
+
Adaptive WIPS

Intrusion Detection System (IDS)
• It works with basic WLC+AP.
• 17 pre-canned signatures.
• Additional custom signatures
are supported.
BRKEWN-2005 34

AWIPS: Accurate Detection & Mitigation
Device Inventory AnalysisSignature & Anomaly Detection Network Traffic AnalysisOn/Off Channel Scanning
Classification
• Default tuning profiles
• Customizable event
auto-classification
• Wired-side tracing
• Physical location
Notification
• Unified PI security
dashboard
• Flexible staff
notification
• Device location
Mitigation
• Wired port disable
• Over-the-air mitigation
• Auto or manual
• Uses all APs for
superior scale
Management
• Role-based with audit
trails
• Customizable event
reporting
• PCI reporting
• Full event forensics
Detection
Threats
Rogue
AP/Clients
Ad-Hoc
Connections
Over-the-Air Attacks
Cracking
Recon
DoS

wireless Intrusion Prevention System (wIPS)
Denial of Service
Service disruption
Evil Twin/Honeypot AP
HACKER’S
AP
Reconnaissance
Seeking network vulnerabilities
HACKER
Cracking Tools
Sniffing and eavesdropping
HACKER
Non-802.11 Attacks
Backdoor access
BLUETOOTH AP RADARRF-JAMMERSBLUETOOTHMICROWAVEService disruption
Ad-hoc Wireless Bridge
Client-to-client backdoor access
HACKER
Rogue Access Points
HACKER
Detected by CleanAir and tracked by MSE
BRKEWN-2005 37

wIPS with Cisco Mobility Services Engine (MSE) 8.0
Prime
WLCWLC
AP
AP AP AP
SOAP/XML over
HTTP/HTTPS
MSE
BRKEWN-2005 38

IDS and wIPS Signatures
wIPS on MSEIDS on WLC
For your
reference
BRKEWN-2005 39

Supported AP modes for wIPS
Data on 2.4 and 5 GHz
wIPS on all channels
Data on 5GHz
“best effort”
Cisco Adaptive wIPS Deployment Guide:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500
BRKEWN-2005 40

5GHz. / 2.4GHz.
.5GHz. / Security
Cisco Wireless Security Deployment with AP3800/2800
Maintains Capacity and Avoids Interference
Good Better Best
Features ELM Monitor Mode AP ELM with FRA
Monitor Mode
Deployment Density Per AP 1 in 5 APs 1 radio per 5 APs
Client Serving with Security
Monitoring
Y N Y
wIPS Security Monitoring 50 ms off-channel scan on selected
channels on 2.4 and 5 GHz
7 x 24 All Channels on 2.4GHz and
5GHz
5GHz
CleanAir Spectrum Intelligence 7 x 24 on client serving channel 7 x 24 All Channels on 2.4GHz and
5GHz
5GHz
Serving channel Serving channelOff-Ch Off-Ch
Enhanced Local Mode
Access Point
 GOOD
2.4 GHz
5 GHz
t
t
Monitor Mode
Access Point
 BETTER
2.4 GHz
5 GHz
t
t
Ch11Ch2
Ch38
Ch1
Ch36
…
Ch11Ch2Ch1
…
Ch11Ch2Ch1
…
…
Ch161Ch157 Ch38Ch36
…… …
t
2.4 GHz
5 GHz
t
Ch11Ch2Ch1
…
Ch38Ch36 Ch161Ch157
…… …
ELM with FRA Wireless Security
Monitoring
 BEST
5 GHz t

Rogue Access Points
What are they?
• A rogue AP is an AP that does not belong to our deployment.
• We might need to care (malicious/on network) or not (friendly).
• Sometimes we can disable them, sometimes we can mitigate them.
“I don’t know it.” “Me neither.”
BRKEWN-2005 47

Serve Client
on 2.4 GHz
50 ms off-
channel
Serve
Clients on 5
GHz
50 ms off-
channel
Rogue Detection and Mitigation
 Rogue Classification and
Containment
• Rogue Rules
• Manual Classification –
Friendly/Malicious
• Manual and Auto
Containment
 CleanAir with Rogue AP
Types
• WiFi Invalid Channel
• WiFi Inverted
 Rogue Location
• Real-time with PI, MSE,
CleanAir
• Location of Rogue APs
and Clients , Ad-hoc
Rogue, Non-wifi
interferers
Data Serving AP
Scan
1.2s per
channel
Monitor Mode AP
FRA with MM
Serve Client
on dedicated 5
GHz
Scan 1.2s
per channel

Rogue AP Detection
Rogue Rules in the WLC and General Options
BRKEWN-2005 49

Containing Multiple Rogues with Single Click
• In 7.4, WLC allows manual containment for multiple rogue APs in a Single click !
• Rogues are classified and Admin alerted. Admin can then initiate containment in single click
• AP that is nearest to rogue AP sends containment packets to Rogue AP
• Rogue Client per Rogue AP has been increased from 16 to 256 (2504 supports 64 Rogue client per Rogue
AP)
Click to
Select all
Click to
Contain all
Step.0. Create Rogue Policy Step 1.Select Rogues Step 2.Click [Contain] !

Policy Based Auto Containment
• Custom Rogue Policy allows administrator to
generate multiple Custom Rogue Policy, which
includes automated action
• Based on Administrative Rogue rule policy, Rogue
AP/Client can be automatically classified as Internal
or External Rogue and can trigger auto-containment
Rule Type Notify / Action Custom
Severity
Friendly • Alert
• Internal
• External
No
Malicious • Alert
• Contain
No
Custom • Alert
• Contain
Yes
(1…100)
Step1: Create Rogue Rule with
Containment Action
Step2: Filtered Rogue list will be automatically contained

Rogue AP Detection
Rogue Location Discovery Protocol (RLDP)
Caveats:
• it only works if the rogue SSID is open;
• it does not work if the RLDP message gets filtered;
• while trying to associate to the rogue AP, the RLDP AP
stops serving clients (up to 30 secs).
RLDP message (UDP:6352)
BRKEWN-2005 52

Rogue AP Detection
Rogue Detector mode
Rogue Detector AP
Trunk with all monitored VLANs
(WLC, AP, client, etc.)
ARP from Rogue Client
Caveats:
• it only works if the rogue client’s MAC is not behind NAT;
• it supports up to 500 rogue MACs.
Config. guide:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html
BRKEWN-2005 53

Rogue AP Detection
Switch Port Tracing
Prime
CDP Neighbors
CAM Table
CAM Table (next hop)
For your
reference
BRKEWN-2005 54

CleanAir
6
11
1
RRM
BRKEWN-2005 55

CleanAir
6
1
RRM
11
6
11
1
BRKEWN-2005 56

CleanAir
6
1
RRM
6
11
1
116
X
BRKEWN-2005 57

Event Driven RRM (EDRRM)
High: Air Quality ≤ 60
Medium: Air Quality ≤ 50
Low: Air Quality ≤ 35
Rogue AP’s duty cycle
contribution, available as
of AireOS 8.1.
BRKEWN-2005 58

CleanAir detectable Attacks
Some examples
IP and Application
Attacks & Exploits
WiFi Protocol
Attacks & Exploits
RF Signaling
Attacks & Exploits
Traditional IDS/IPS
Layer 3-7
wIPS
Layer 2
CleanAir
Layer 1
Dedicated to L1 Exploits
Rogue
Threats
“undetectable” rogues
Wi-Fi
Jammers
“classic” interferers
2.4
GHz
5
GHz
BRKEWN-3010
BRKEWN-2005 59

• Detecting extensive DoS attacks and security penetration – Base WIPS +
Adaptive WIPS
• Locating Rogue APs, attackers and victims
• Manual or fixed auto containment policy for rogue AP/client
• Comprehensive wired rogue detection algorithm using Auto SPT, RLDP or
Rogue Detector AP
Recap of Cisco WIPS
Open/Wired/NATed
Rogue AP Encrypted / Wired / +/- 1 or 2 and OUI
Based Ethernet MAC Rogue APRLDP
or Rogue Detector
Magic Packet
WLC PI
SNMP / Auto SPT
Locating, Tracking
and Tracing Rogue
APs
MSE

Management Frame Protection (MFP)
• Infrastructure MFP, with additional Message Integrity Check (MIC) for
management frames.
• Client MFP, with encryption of management frames for associated/authenticated
clients.
MFP Protected
MFP Protected
Enterprise
NetworkCCXv5
For your
reference
BRKEWN-2005 61

IEEE 802.11w
Protected Management Frames (PMF)
• Client protection with additional cryptography for de-authentication and
disassociation frames.
• Infrastructure protection with Security Association (SA) tear down mechanism.
802.11w Protected
Enterprise
Network
For your
reference
BRKEWN-2005 62

Service Ready
Feature Highlights
Local Profiling
Bonjour
Apple Services
Solution level Attack
Protection
AVC/ Netflow
802.1x
Webauth
Guest Access
MAC Auth
BYOD
NAC RADIUS
Local Policy w/
AVC, Umbrella
AAA Override
VLAN, ACL, QoS
TrustSec SXP
Inline Tagging
OKC, CCKM
Roaming
Cisco Umbrella
URL Filtering

Identity Awareness
Choose the access control method
Authorized
Users
IP
Phones
Tablets Network Device GuestsIoT Devices
Authentication Features
802.1x Identity PSKMac Auth Bypass Web Authentication

EAPoL Start
Beginning
EAP-Response Identity: Alice
[AVP: EAP-Response: Alice]
EAP-Request: PEAP
EAP-Response: PEAP
[AVP: EAP-Request PEAP]
[AVP: EAP-Response: PEAP]
Multiple
Challenge-
Request
Exchanges
Possible
Middle
EAP Success
RADIUS Access-Accept
[AVP: EAP Success]
[AVP: VLAN 10, dACL-n]
End
Layer 2 Point-to-Point Layer 3 Link
Authenticator Auth ServerSupplicant EAP over LAN
(EAPoL)
RADIUS
IEEE 802.1X
For your
reference
BRKEWN-2005 70

EAP Authentication Types
Different Authentication Options Leveraging Different Credentials
Tunnel-Based
EAP-PEAP
EAP-FAST
Inner Methods
EAP-GTC EAP-TLS EAP-MSCHAPv2
• Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP
type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.
This provides security for the inner method, which may be vulnerable by itself.
• Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.
Certificate-Based
EAP-TLS
BRKEWN-2005 71

RADIUS Change of Authorization (CoA)
• RADIUS protocol is initiated by the network devices (NAD)
• No way to change authorization from the ISE
• Now the network device listens to CoA requests from ISE
RADIUS
CoA (UDP:1700/3799)
• Re-authenticate session
• Terminate session
• Terminate session with port bounce
• Disable host port
Now I can control
ports when I want to!
(config)#aaa server radius dynamic-author
client {PSN} server-key {RADIUS_KEY}
For your
reference
BRKEWN-2005 72

RADIUS Change of Authorization (CoA)
AuthenticatorSupplicant
EAP over LAN
(EAPoL)
RADIUS
RADIUS CoA-Request
[VSA: subscriber: reauthenticate]
RADIUS CoA-Ack
Change of
Authorization
EAP-Response Identity: Alice
[AVP: EAP-Response: Alice]
EAP-Request: PEAP
EAP-Response: PEAP
[AVP: EAP-Request PEAP]
[AVP: EAP-Response: PEAP]
Re-Authentication
Multiple
Challenge-
Request
Exchanges
Possible
AuthC Server
BRKEWN-2005 73

Identity PSK (AireOS 8.5 release)
74BRKEWN-2005
Increased demand
for IoT devices
Identity security without
802.1x
High Scale
Cost Effective
Simple Operations
• Private PSK with RADIUS
integration
• Per client AAA override
(VLAN / ACL, QoS etc)

Identity PSK
75BRKEWN-2005
How it works!
PSK WLAN
MAC Filtering
AAA Override
Employees
Sensors
WLAN PSK
xxyyzz
IoT
Devices
aabbcc
Device MAC Group Private PSK
IOT Devices aabbcc
Sensors xxyyzz
Employees ---
Cisco-AVPair += "psk-mode=ascii”
Cisco-AVPair += "psk=aabbcc"
Cisco-AVPair += "psk-mode=ascii”
Cisco-AVPair += "psk=xxyyzz"

AP-WLC DHCP/DNS
ISE ServerOptional:
• MAB
• 802.1X
0
Pre-webauth
ACL
2
Host Acquires IP Address, Triggers Session State
3
Host Opens Browser
Login Page
Host Sends Password
4
WLC Queries AAA Server
AAA Server Returns Policy
Server
authorizes
user
5
WLC Applies New WebAuth Policy (L3)6
• SSID with
WebAuth
1
Local Web Authentication (LWA)
LOCAL because the redirection URL
and the pre-webauth ACL are locally
configured on the WLC.
MAB
(optional)
802.1X
(optional)
Local
Web Auth
BRKEWN-2005 77

AP-WLC DHCP/DNS ISE Server
4
• Open SSID with
MAC Filtering
enabled
1
AuthC success; AuthZ for unknown MAC returned:
Redirect/filter ACL, portal URL
Host Opens Browser – WLC redirects browser to ISE web page
Login Page
Host Sends Username/Password
5
Web Auth Success results in CoA
Server
authorizes
user
6
MAB re-auth
MAB Success
Session lookup – policy matched
Authorization ACL/VLAN returned.7
First authentication session
2
3
CENTRAL because the
redirection URL and the pre-
webauth ACL are centrally
configured on ISE and
communicated to the WLC
via RADIUS.
Central
Web Auth
Central Web Authentication (CWA)
BRKEWN-2005 79

Other URL-Redirect scenarios (posture, MDM, etc.)
AP-WLC DHCP/DNS ISE Server
4
• SSID configured
for 802.1X / MAB1
AuthC success; AuthZ returned:
Redirect/filter ACL, URL for posture/MDM/etc.
Host Opens Browser – WLC redirects browser to ISE for other services
Posture check, MDM check, client provisioning, etc.
5
RADIUS CoA
Server
authorizes
user
6
802.1X/MAB re-auth
802.1X/MAB Success
Session lookup – policy matched
Authorization ACL/VLAN returned.7
First authentication session
2
3
 CWA is a URL-Redirect
scenario.
 Thanks to RADIUS CoA
we can apply other identity
services after 802.1X,
MAB or WebAuth.
BRKEWN-2005 81

How about policies?
Differentiating
user groups.
Keeping untrusted
devices out.
Basic access vs. Full access
BRKEWN-2005 85

Different wired and wireless security leaves you vulnerable to risk and malicious activityLatest Cisco wireless minimizes risk and works with switching and routing for end-to-end validation
Network Policy Enforcement
Network as a Sensor and Enforcer Access Policy
Created on Identity
Services Engine
Authorized user
accepts policy
1
2
Network validates activity
– serves as a sensor and
policy enforcer
3

• Centralized Policy
• RADIUS Server
• Posture Assessment
• Guest Access Services
• Device Profiling
• Client Provisioning
• MDM
• Monitoring & Troubleshooting
• SIEM Integration
• Device Admin / TACACS+
ACS
NAC
Profiler
Guest
Server
NAC
Manager
NAC
Server
Identity
Services
Engine
Cisco Identity Services Engine (ISE)
BRKSEC-3697
BRKSEC-3699
BRKEWN-2005 87

Authentication and Authorization
What are they?
802.1X /iPSK/ MAB / WebAuth
It tells who/what the
endpoint is.
It tells what the
endpoint has access to.
BRKEWN-2005 88

ISE Policy Rules
1. Authentication Rules
• Define what identity stores to reference.
• Example – Active Directory, CA Server, Internal DB,etc.
2. Authorization Rules
• Define what users and devices get access to resources.
• Example – All Employees, with Windows Laptops have full
access.
For your
reference
BRKEWN-2005 89

Guests and BYOD, can’t hide...
BRKEWN-2005 103

ROLE BASED APPLICATION POLICY
• Alice(User) and Bob(IT Admin) are both employees
• Both Alice and Bob are connected to the same SSID
• Bob can access certain applications (YouTube), Alice cannot
ROLE BASED + DEVICE TYPE APPLICATION POLICY
• Alice can access inventory info on an IT provisioned Windows Laptop
• Alice cannot access inventory info on her personal iPAD
ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY
• Alice has limited access (rate limit) to Jabber on her iPhone
7.4
AVC
7.5
Dynamic
protocol pack
update
7.6
Jabber, Lync
2013 support
8.0
• User and device aware
policies
• Ability to classify
Apple iOS, Windows,
Android upgrades
Per user-group, per device policy tie-in to AVC
8.1
• User & device aware
policies
• Ability to classify Apple
iOS, Windows, Android
upgrades
8.2
• Wi-Fi calling
• Skype for business
• UserId + IPFlow for
Netflow export
• Lancope Collector

Employee
YouTube
Employee Contractor
RADIUSWLC
Facebook Skype BitTorrent
AVC (Application Visibility and Control)
Per-user profiles via AAA
Contractor
Facebook Skype
cisco-av-pair = avc-profile-name = AVC-Employee
cisco-av-pair = avc-profile-name = AVC-Contract
BRKEWN-2005 105

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106BRKEWN-2005
WLC integration with StealthWatch
As of AireOS 8.2 on 5520/8510/8540 WLC
ISE
WLC
BitTorrent
Netflow v9 records
pxGrid notifications
Quarantine
CoA
BRKSEC-3014

VLAN 100
MAB
WebAuth
Agent-less Device
Campus Network
Untagged Frame Tagged Frame
SGT Enforcement
Security Group Access (SGA)
AireOS 8.3 and before – SXP peering from the WLC
802.1X
Users,
Endpoints
IT Portal (SGT 4)
10.1.100.10
Catalyst 3k-X Cat 6500
Distribution
The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL
capable devices (e.g. Catalyst 3750-X)
IP Address SGT
10.1.10.102 5
10.1.10.110 14
10.1.99.100 12
SXP
Speaker Listener
SGT=5SGT=5
ISE
SGT=5 SGT = Security Group Tag
SXP = SGT eXchange Protocol
SGACL = SGT ACL
deny sgt-src 5 sgt-dst 4
BRKEWN-2005 107

IP Address SGT
10.1.10.102 5
10.1.10.110 14
10.1.99.100 12
AireOS 8.4 – SXP peering from the AP (802.11ac APs)
MAB
WebAuth
Agent-less Device
802.1X
Users,
Endpoints
ISE
WLC
AP
Campus Network
SGACL
Catalyst 3k-X
SXP
Speaker Listener
SGT = Security Group Tag
SGACL = SGT ACL
SGT=5
BRKEWN-2005 108

AireOS 8.4 – SGT inline tagging at the WLC (5520/8540) or AP (802.11ac APs)
Tagged Frame
SGACL = SGT ACL
WLC
AP
SGT=5
MAB
WebAuth
Agent-less Device
802.1X
Users,
Endpoints
Campus Network
SGACL
Catalyst 3k-X
SGT=5SGT=5
ISE
BRKEWN-2005 109

AireOS 8.4 – SGACL at the WLC (5520/8540) or AP (802.11ac APs)
SGACL = SGT ACL
ISE
WLC
AP
SGT=5
MAB
WebAuth
Agent-less Device
802.1X
Users,
Endpoints
SGACL
BRKSEC-2203
BRKSEC-3690
BRKEWN-2005 110

Internet
ACME
208.67.220.220ACME
Policies
block gaming sites
DNS
Query
DNS
Response
Introducing Cisco Umbrella with WLC
208.67.220.220
DNS Server
(or external DNS
proxy to)
10.1.1.1
BRKEWN-2005 112
Cisco Umbrella
Cloud

WLC integration with Cisco Umbrella
Cisco Umbrella
Cloud
DNS query
DNS response
BRKEWN-2005 113

WLC integration with OpenDNS
DNS query
DNS response
BRKSEC-2980
LABSEC-2006
BRKEWN-2005 114
Cisco Umbrella
Cloud

OpenDNS Policy Segmentation
ISR 4K
Contractor
Corp
Guest
Policy 1 Policy 3
Wireless Controller for Dynamic
Evaluation of Attributes for Access Control
Current ISR Implementation
Site specific Policy, Enforced per Interface
Identity Server
Returns attributes
Guest networkCorp network
Policy 2Policy
Cisco Umbrella
Cisco
Umbrella
Cisco
Umbrella
Cisco
Umbrella

Teacher Network
Student Network
AirPrint AirPlay File
Share
Teacher
Service Profile
AirPlay File
Share
Student
Service Profile
iTunes
Sharing
AirPrint
mDNS Service Instances Groups
Apple TV1 Apple TV1
Apple TV2
Teacher Service
Instance List
Student Service
Instance List
mDNS and Bonjour Services
 mDNS Profiles – Select
services
 mDNS Profile with Local
Policy – Services per-user
and per-device
 mDNS Policies – Services
based on AP Location and
user role
 mDNS AP – Services Behind
a L3 boundary
 Location Specific Services

Conclusion

Key Takeaways
• Security is an end-to-end concern
• Start by securing the infrastructure
• Use CleanAir, WIPS to protect the Air
• Protect your client access with CWA, ISE
• AVC Policies, TrustSec and SGTs protect your traffic
118BRKEWN-2005

Cisco SparkAsk Question, Get Answers
Use Cisco Spark to communicate with the speaker after the event!
What if I have a question after visiting Cisco Live? ... Cisco Spark
cs.co/ciscolive/#session ID
*Get the Cisco Spark app from iTunes store or Google Play store
1. Go to the Cisco Live Mobile app
2. Find this session
3. Click the join link in the session description
4. Navigate to the room, room name = Session ID
5. Enter messages in the room
Spark rooms will be available until Friday 17 November 2017
www.ciscospark.com
E.g: session ID = BRKACI-2001

Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for
viewing on-demand after the event at
CiscoLive.com/Online
• Give us your feedback about the session
you just joined
Complete your session surveys through the
Cisco Live mobile app:
https://www.ciscolive.com/latam/attend/attendee-info/#mobile-app (English)
https://www.ciscolive.com/latam/attend-es/attendee-info/#mobile-app (Español)
or from the Session Catalog on
CiscoLive.com/latam.
120Presentation ID

#CiscoLiveLA 2017 Presentacion de Jerome Henry

#CiscoLiveLA 2017 Presentacion de Jerome Henry

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à #CiscoLiveLA 2017 Presentacion de Jerome Henry

Similaire à #CiscoLiveLA 2017 Presentacion de Jerome Henry (20)

Plus de ITSitio.com

Plus de ITSitio.com (20)

Dernier

Dernier (20)

#CiscoLiveLA 2017 Presentacion de Jerome Henry