BYOD_partII

BYOD Policy in Action – Part 2

Spice IT

by |

My last post covered some of the bring-your-own-device (BYOD) issues companies are facing and how to use Cisco’s Identity Services Engine (ISE) to help define access restrictions, while still providing users a good experience. I also went through and demonstrated how this segmentation worked and how it was enforced on the wireless LAN controller (WLC).

As a reminder this is our example policy.

Device Type

Authentication

Posture

SSID

VLAN

Access-list

Company Computer

EAP-TLS

N/A

GET IT

Inside 582

Company Mobile

EAP-TLS

Compliant

GET IT

Inside 582

INET_Exchange

Employee Device

PEAP

N/A

GET IT

Guest 583

In this post, I am going to cover how to configure the WLC and ISE to enforce these policies. Let’s get started!

Wireless LAN Controller Configuration

On the WLC, we will configure the radius server(s), access control lists, and the SSID that the user will connect to.

Radius Server(s)

1. From the WLC GUI go to Security->AAA->RADIUS->Authentication

2. Select New

Blog_CISCOISE_1

3. From the WLC GUI go to Security->AAA->RADIUS->Accounting

4. Select New

5. Enter the IP Address of ISE

Blog_CISCOISE_2

Access-Lists

1. From the WLC GUI go to Security->Access Control Lists->Access Control Lists

2. Select New

3. Enter the desired name

Take note of this name as it will be needed to set up the ISE policy.

 Blog_CiscoISE_3

4. Select Apply

5. Now Select the Access-list that was just created

6. Enter the set of rules needed to provide the correct permissions

 Blog_CISCOISE_4

Let’s take some time to explain these rules.

Outbound means leaving the controller going toward the client. Inbound means coming into the controller from the client.

  1. Permit Any traffic – Outbound (same default action as a switch)
  2. Allow UDP DNS traffic to the internal DNS Server – Inbound
  3. Allow Any traffic to our ISE Server – Inbound
  4. Allow HTTPS to our Exchange OWA Server – Inbound
  5. Allow HTTP to our Exchange OWA Server – Inbound
  6. Deny Any to 10.0.0.0/8 – Inbound
  7. Deny Any to 192.168.0.0/16 – Inbound
  8. Deny Any to 172.16.0.0/12 – Inbound
  9. Permit Any to Any – Inbound

In summary, this access-list is allowing access to DNS, ISE and OWA, then blocking all private address space and then allowing access to everything. In effect, it’s blocking access to the internal network (assuming it is all private addresses) but allowing the device to go anywhere on the Internet.

SSID Settings

1. From the WLC GUI go to WLANS
2. Either Create a new SSID or modify an existing one
Note: If you are editing an existing SSID, changes will disconnect devices.

Blog_CiscoISE_5 

3. Now under the SSID’s Security tab and enter the desired Layer 2 security settings

 Blog_CiscoISE_6 

4. Now under the SSID’s Security, AAA Servers select your ISE Server(s)

Blog_CISCOISE_7

5. Select Allow AAA Override and set NAC State to Radius NAC
These settings allow ISE to change the session information based on the policy match.

BLOG_ciscoise_v3

 6. Click Apply to Save the changes

Before we move to ISE, let’s recap what has been configured.

1. ISE has been added into the WLC as a AAA server
2. The INET_Exchange access-list is staged on the controller with the desired access policy
3. The SSID has been set up for 802.1X authentication and ISE is allowed to change the session access privileges on-the-fly

Identity Services Engine Configuration

In ISE, we will be adding the WLC, configuring the identity sources, defining our user permissions, and lastly, setting up the authentication and authorization policies.

Network Access Devices

1. Add the WLC into ISE by going to Administration->Network Resources->Network Devices.

2. Select Add

3. Enter at a minimum the Name, Management Interface IP Address, and the RADIUS Shared Secret

Blog_CiscoISE_9

4. Select Save

Identity

Certificate Authority (CA)

1. Add the Trusted Certificate Authority for your user Certificates Administration->Certificates->Certificate Store

2. Select Import

3. Browse to the Public key file for your CA

4. Select Trust for client authentication or Secure Syslog services

Blog_CiscoISE_10

 

5. Submit

 Active Directory

1. To add ISE to Active Directory go to,  Administration->Identity Management->External Identity Sources->Active Directory

2. Enter your Domain Name

3. Give the Identity Store a friendly name in the Identity Store Name

4. Select the ISE server(s) in your deployment

5. Select Join and Enter a username and password combination with privileges to join a computer to the domain, select OK

Blog_CiscoISE_11

 

6. Once joined, your server(s) should show a  Connected To:

Blog_CISCOISE_127. To Map Groups from Active Directory, select Groups

8. Select Add, Select Groups from the Directory

9. Search for your desired AD Groups and select them and select OK

Blog_CiscoISE_13

10. Select Save Configuration

11. Your mapped groups will look something like the below image

Blog_CiscoISE_14

 Certificate Authentication Profile

12. Add a Certificate Authentication Administration->Identity Management->Certificate Authentication Profile

13. Add

14. Enter a Name and select where you will find the AD ID of your users

Blog_ciscoise_15

15. Select Save

 Authentication Policy

1. Policy->Authentication Policy
2. Insert a new Policy that has the following settings

+++A. Match on Wireless_802.1X
+++
B.  If EAP-TLS, use the Certificate Identity Store that was created
+++C. If Default, use the Active Directory Identity Store

 

Blog_CiscoISE_16

3. Click Save

Authorization Profiles

These can be created while creating the authorization policy, but I prefer to stage them ahead of time.

2. Navigate to the authorization profiles Policy->Policy Elements->Results
Then Authorization->Authorization Profiles

Blog_CiscoIse_17

3. Select Add

4. Enter a Name for the BYOD permission and the guest VLAN ID

Blog_CiscoISEv2

5. Scroll down and select Save

6. Repeat for the other Computer Policy. Note: If the VLAN on the controller and the desired VLAN is the same, it is not required to be set here

Blog_ciscoise_19

7. Repeat for the Mobile Device Policy, defining the access-list we set up on the WLC

Blog_ciscoise_19

Authorization Policy

1. Insert a new authorization policy Policy->Authorization Policy

2. Add a new policy for PEAP-BYOD matching PEAP (EAP-MSCHAPv2) and Domain Users with the Permission of the BYOD Profile

Blog_ciscoise_21

3. Repeat for the Mobile Policy matching EAP-TLS and Domain User defining your Mobile Device Permission

Blog_CiscoISE22

4. Repeat for the Computer Policy matching EAP-TLS and Domain Computer defining your Computer Permission

Blog_ciscoise_23

When you are finished, your policy should look something like this.

Blog_Ciscoise_24

For a cleaner looking policy:setup conditions

Blog_Ciscoise_25

ISE Recap

We walked through a bare minimum ISE configuration. This will allow the WLC to authenticate the device to either Active Directory or use the certificate it was issued from the company certificate authority. When the device connects, we will also be able to take the information available to define a precise policy to get the user the permission that was defined by the security policy.

 Conclusion

As you have seen, ISE is highly customizable and can be complicated at times. But with the right knowledge and set of skills, it can be your Swiss Army knife of network access tools. It allows you to craft an access policy that is unique for your requirements. I hope this information gets you thinking about your network access polices and offers ideas for using these tools to help mitigate organizational risk.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>