Cisco ISE for BYOD and Secure Unified Access

Cisco ISE for BYOD and Secure Unified Access : BYOD Network Security with ISE

3 (1 rating by Goodreads)
By (author)  , By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 2 business days
When will my order arrive?


Plan and deploy identity-based secure access for BYOD and borderless networks Using Cisco Secure Unified Access Architecture and Cisco Identity Services Engine, you can secure and regain control of borderless networks in a Bring Your Own Device (BYOD) world. This book covers the complete lifecycle of protecting a modern borderless network using these advanced solutions, from planning an architecture through deployment, management, and troubleshooting. Cisco ISE for BYOD and Secure Unified Access begins by reviewing the business case for an identity solution. Next, you'll walk through identifying users, devices, and security posture; gain a deep understanding of Cisco's Secure Unified Access solution; and master powerful techniques for securing borderless networks, from device isolation to protocol-independent network segmentation. You'll find in-depth coverage of all relevant technologies and techniques, including 802.1X, profiling, device onboarding, guest lifecycle management, network admission control, RADIUS, and Security Group Access. Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors present detailed sample configurations to help you plan your own integrated identity solution. Whether you're a technical professional or an IT manager, this guide will help you provide reliable secure access for BYOD, CYOD (Choose Your Own Device), or any IT model you choose. * Review the new security challenges associated with borderless networks, ubiquitous mobility, and consumerized IT * Understand the building blocks of an Identity Services Engine (ISE) solution * Design an ISE-Enabled network, plan/distribute ISE functions, and prepare for rollout * Build context-aware security policies * Configure device profiling, endpoint posture assessments, and guest services * Implement secure guest lifecycle management, from WebAuth to sponsored guest access * Configure ISE, network access devices, and supplicants, step-by-step * Walk through a phased deployment that ensures zero downtime * Apply best practices to avoid the pitfalls of BYOD secure access * Simplify administration with self-service onboarding and registration * Deploy Security Group Access, Cisco's tagging enforcement solution * Add Layer 2 encryption to secure traffic flows * Use Network Edge Access Topology to extend secure access beyond the wiring closet * Monitor, maintain, and troubleshoot ISE and your entire Secure Unified Access systemshow more

Product details

  • Paperback | 752 pages
  • 185.42 x 228.6 x 40.64mm | 1,202.01g
  • Pearson Education (US)
  • Cisco Press
  • Indianapolis, United States
  • English
  • New.
  • Illustrations (black and white)
  • 1587143259
  • 9781587143250
  • 727,759

About Jamey Heary

Aaron Woland , CCIE No. 20113, is a Senior Secure Access Engineer at Cisco Systems and works with Cisco's largest customers all over the world. His primary job responsibilities include secure access and ISE deployments, solution enhancements, futures, and escalations. Aaron joined Cisco in 2005 and is currently a member of numerous security advisory boards. Prior to joining Cisco, he spent 12 years as a consultant and technical trainer. His areas of expertise include network and host security architecture and implementation, regulatory compliance, and routing and switching. Aaron is the author of many white papers and design guides, including the TrustSec 2.0 Design and Implementation Guide and the NAC Layer 3 OOB Using VRFs for Traffic Isolation design guide. He is also a distinguished speaker at Cisco Live for topics related to identity and is a security columnist for Network World , where he blogs on all things related to identity. Additional certifications include CCSP, CCNP, CCDP, Certified Ethical Hacker, MCSE, and many other industry certifications. Jamey Heary , CCIE No. 7680, is a Distinguished Systems Engineer at Cisco Systems, where he works as a trusted security advisor to Cisco customers and business groups. He is also a featured security columnist for Network World , where he blogs on all things security. Jamey sits on the PCI Security Standards Council-Board of Advisors, where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access . He also has a patent pending on a new DDoS mitigation technique. Jamey sits on numerous security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. His other certifications include CISSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 19 years and in IT security for 15 more

Table of contents

Introduction xxvi Section I The Evolution of Identity Enabled Networks Chapter 1 Regain Control of Your IT Security 1 Security: A Weakest-Link Problem with Ever More Links 2 Cisco Identity Services Engine 3 Sources for Providing Identity and Context Awareness 4 Unleash the Power of Centralized Policy 5 Summary 6 Chapter 2 Introducing Cisco Identity Services Engine 7 Systems Approach to Centralized Network Security Policy 7 What Is the Cisco Identity Services Engine? 9 ISE Authorization Rules 12 Summary 13 Section II The Blueprint, Designing an ISE Enabled Network Chapter 3 The Building Blocks in an Identity Services Engine Design 15 ISE Solution Components Explained 15 Infrastructure Components 16 Policy Components 20 Endpoint Components 20 ISE Personas 21 ISE Licensing, Requirements, and Performance 22 ISE Licensing 23 ISE Requirements 23 ISE Performance 25 ISE Policy-Based Structure Explained 27 Summary 28 Chapter 4 Making Sense of All the ISE Deployment Design Options 29 Centralized Versus Distributed Deployment 29 Centralized Deployment 30 Distributed Deployment 32 Summary 35 Chapter 5 Following a Phased Deployment 37 Why Use a Phased Deployment Approach? 37 Monitor Mode 38 Choosing Your End-State Mode 40 End-State Choice 1: Low-Impact Mode 42 End-State Choice 2: Closed Mode 44 Transitioning from Monitor Mode into an End-State Mode 45 Summary 46 Section III The Foundation, Building a Context-Aware Security Policy Chapter 6 Building a Cisco ISE Network Access Security Policy 47 What Makes Up a Cisco ISE Network Access Security Policy? 47 Network Access Security Policy Checklist 48 Involving the Right People in the Creation of the Network Access Security Policy 49 Determining the High-Level Goals for Network Access Security 51 Common High-Level Network Access Security Goals 52 Defining the Security Domains 55 Understanding and Defining ISE Authorization Rules 57 Commonly Configured Rules and Their Purpose 58 Establishing Acceptable Use Policies 59 Defining Network Access Privileges 61 Enforcement Methods Available with ISE 61 Commonly Used Network Access Security Policies 62 Summary 65 Chapter 7 Building a Device Security Policy 67 Host Security Posture Assessment Rules to Consider 67 Sample NASP Format for Documenting ISE Posture Requirements 72 Common Checks, Rules, and Requirements 74 Method for Adding Posture Policy Rules 74 Research and Information 75 Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 76 Method for Determining Which Posture Policy Rules a Particular Security Requirement Should Be Applied To 77 Method for Deploying and Enforcing Security Requirements 78 ISE Device Profiling 79 ISE Profiling Policies 80 ISE Profiler Data Sources 81 Using Device Profiles in Authorization Rules 82 Summary 82 Chapter 8 Building an ISE Accounting and Auditing Policy 83 Why You Need Accounting and Auditing for ISE 83 Using PCI DSS as Your ISE Auditing Framework 84 ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 87 ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 89 ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Log Data 90 ISE Policy for PCI 10.6: Review Audit Data Regularly 91 Cisco ISE User Accounting 92 Summary 94 Section IV Configuration Chapter 9 The Basics: Principal Configuration Tasks for Cisco ISE 95 Bootstrapping Cisco ISE 95 Using the Cisco ISE Setup Assistant Wizard 98 Configuring Network Devices for ISE 106 Wired Switch Configuration Basics 106 Wireless Controller Configuration Basics 109 Completing the Basic ISE Setup 113 Install ISE Licenses 113 ISE Certificates 114 Installing ISE Behind a Firewall 116 Role-Based Access Control for Administrators 121 RBAC for ISE GUI 121 RBAC: Session and Access Settings and Restrictions 121 RBAC: Authentication 123 RBAC: Authorization 124 Summary 126 Chapter 10 Profiling Basics 127 Understanding Profiling Concepts 127 Probes 130 Probe Configuration 130 Deployment Considerations 133 DHCP 134 Deployment Considerations 135 NetFlow 137 Deployment Considerations 137 RADIUS 137 Deployment Considerations 138 Network Scan (NMAP) 138 Deployment Considerations 139 DNS 139 Deployment Considerations 139 SNMP 140 Deployment Considerations 140 IOS Device-Sensor 141 Change of Authorization 142 CoA Message Types 142 Configuring Change of Authorization in ISE 143 Infrastructure Configuration 144 DHCP Helper 145 SPAN Configuration 145 VLAN Access Control Lists (VACL) 146 VMware Configurations to Allow Promiscuous Mode 148 Best Practice Recommendations 149 Examining Profiling Policies 152 Endpoint Profile Policies 152 Cisco IP Phone 7970 Example 155 Using Profiles in Authorization Policies 161 Endpoint Identity Groups 161 EndPointPolicy 163 Logical Profiles 164 Feed Service 166 Configuring the Feed Service 166 Summary 168 Chapter 11 Bootstrapping Network Access Devices 169 Bootstrap Wizard 169 Cisco Catalyst Switches 170 Global Configuration Settings for All Cisco IOS 12.2 and 15.x Switches 170 Configure Certificates on a Switch 170 Enable the Switch HTTP/HTTPS Server 170 Global AAA Commands 171 Global RADIUS Commands 172 Create Local Access Control Lists 174 Global 802.1X Commands 175 Global Logging Commands (Optional) 175 Global Profiling Commands 177 Interface Configuration Settings for All Cisco Switches 179 Configure Interfaces as Switch Ports 179 Configure Flexible Authentication and High Availability 179 Configure Authentication Settings 182 Configure Authentication Timers 184 Apply the Initial ACL to the Port and Enable Authentication 184 Cisco Wireless LAN Controllers 184 Configure the AAA Servers 185 Add the RADIUS Authentication Servers 185 Add the RADIUS Accounting Servers 186 Configure RADIUS Fallback (High Availability) 187 Configure the Airespace ACLs 188 Create the Web Authentication Redirection ACL 188 Create the Posture Agent Redirection ACL 191 Create the Dynamic Interfaces for the Client VLANs 193 Create the Employee Dynamic Interface 193 Create the Guest Dynamic Interface 194 Create the Wireless LANs 195 Create the Guest WLAN 195 Create the Corporate SSID 199 Summary 202 Chapter 12 Authorization Policy Elements 205 Authorization Results 206 Configuring Authorization Downloadable ACLs 207 Configuring Authorization Profiles 209 Summary 212 Chapter 13 Authentication and Authorization Policies 215 Relationship Between Authentication and Authorization 215 Authentication Policies 216 Goals of an Authentication Policy 216 Accept Only Allowed Protocols 216 Route to the Correct Identity Store 216 Validate the Identity 217 Pass the Request to the Authorization Policy 217 Understanding Authentication Policies 217 Conditions 218 Allowed Protocols 220 Identity Store 224 Options 224 Common Authentication Policy Examples 224 Using the Wireless SSID 225 Remote-Access VPN 228 Alternative ID Stores Based on EAP Type 230 Authorization Policies 232 Goals of Authorization Policies 232 Understanding Authorization Policies 233 Role-Specific Authorization Rules 237 Authorization Policy Example 237 Employee and Corporate Machine Full-Access Rule 238 Internet Only for iDevices 240 Employee Limited Access Rule 243 Saving Attributes for Re-Use 246 Summary 248 Chapter 14 Guest Lifecycle Management 249 Guest Portal Configuration 251 Configuring Identity Source(s) 252 Guest Sponsor Configuration 254 Guest Time Profiles 254 Guest Sponsor Groups 255 Sponsor Group Policies 257 Authentication and Authorization Guest Policies 258 Guest Pre-Authentication Authorization Policy 258 Guest Post-Authentication Authorization Policy 262 Guest Sponsor Portal Configuration 263 Guest Portal Interface and IP Configuration 264 Sponsor and Guest Portal Customization 264 Customize the Sponsor Portal 264 Creating a Simple URL for Sponsor Portal 265 Guest Portal Customization 265 Customizing Portal Theme 266 Creating Multiple Portals 268 Guest Sponsor Portal Usage 271 Sponsor Portal Layout 271 Creating Guest Accounts 273 Managing Guest Accounts 273 Configuration of Network Devices for Guest CWA 274 Wired Switches 274 Wireless LAN Controllers 275 Summary 277 Chapter 15 Device Posture Assessment 279 ISE Posture Assessment Flow 280 Configure Global Posture and Client Provisioning Settings 283 Posture Client Provisioning Global Setup 283 Posture Global Setup 285 General Settings 285 Reassessments 286 Updates 287 Acceptable Use Policy 287 Configure the NAC Agent and NAC Client Provisioning Settings 288 Configure Posture Conditions 289 Configure Posture Remediation 292 Configure Posture Requirements 295 Configure Posture Policy 296 Enabling Posture Assessment in the Network 298 Summary 299 Chapter 16 Supplicant Configuration 301 Comparison of Popular Supplicants 302 Configuring Common Supplicants 303 Mac OS X 10.8.2 Native Supplicant Configuration 303 Windows GPO Configuration for Wired Supplicant 305 Windows 7 Native Supplicant Configuration 309 Cisco AnyConnect Secure Mobility Client NAM 312 Summary 317 Chapter 17 BYOD: Self-Service Onboarding and Registration 319 BYOD Challenges 320 Onboarding Process 322 BYOD Onboarding 322 Dual SSID 322 Single SSID 323 Configuring NADs for Onboarding 324 ISE Configuration for Onboarding 329 End-User Experience 330 Configuring ISE for Onboarding 347 BYOD Onboarding Process Detailed 357 MDM Onboarding 367 Integration Points 367 Configuring MDM Integration 368 Configuring MDM Onboarding Policies 369 Managing Endpoints 372 Self Management 373 Administrative Management 373 The Opposite of BYOD: Identify Corporate Systems 374 EAP Chaining 375 Summary 376 Chapter 18 Setting Up a Distributed Deployment 377 Configuring ISE Nodes in a Distributed Environment 377 Make the Policy Administration Node a Primary Device 377 Register an ISE Node to the Deployment 379 Ensure the Persona of All Nodes Is Accurate 381 Understanding the HA Options Available 382 Primary and Secondary Nodes 382 Monitoring and Troubleshooting Nodes 382 Policy Administration Nodes 384 Promoting the Secondary PAN to Primary 385 Node Groups 385 Create a Node Group 386 Add the Policy Services Nodes to the Node Group 387 Using Load Balancers 388 General Guidelines 388 Failure Scenarios 389 Summary 390 Chapter 19 Inline Posture Node 391 Use Cases for the Inline Posture Node 391 Overview of IPN Functionality 392 IPN Configuration 393 IPN Modes of Operation 393 Summary 394 Section V Deployment Best Practices Chapter 20 Deployment Phases 395 Why Use a Phased Approach? 395 A Phased Approach 397 Authentication Open Versus Standard 802.1X 398 Monitor Mode 399 Prepare ISE for a Staged Deployment 401 Create the Network Device Groups 401 Create the Policy Sets 403 Low-Impact Mode 404 Closed Mode 406 Transitioning from Monitor Mode to Your End State 408 Wireless Networks 409 Summary 410 Chapter 21 Monitor Mode 411 Endpoint Discovery 412 SNMP Trap Method 413 Configuring the ISE Probes 414 Adding the Network Device to ISE 416 Configuring the Switches 418 RADIUS with SNMP Query Method 420 Configuring the ISE Probes 420 Adding the Network Device to ISE 421 Configuring the Switches 422 Device Sensor Method 424 Configuring the ISE Probes 425 Adding the Network Device to ISE 425 Configuring the Switches 426 Using Monitoring to Identify Misconfigured Devices 428 Tuning the Profiling Policies 428 Creating the Authentication Policies for Monitor Mode 430 Creating Authorization Policies for Non-Authenticating Devices 433 IP-Phones 433 Wireless APs 435 Printers 436 Creating Authorization Policies for Authenticating Devices 438 Machine Authentication (Machine Auth) 438 User Authentications 439 Default Authorization Rule 440 Summary 441 Chapter 22 Low-Impact Mode 443 Transitioning from Monitor Mode to Low-Impact Mode 445 Configuring ISE for Low-Impact Mode 446 Set Up the Low-Impact Mode Policy Set in ISE 446 Duplicate the Monitor Mode Policy Set 446 Create the Web Authentication Authorization Result 448 Configure the Web Authentication Identity Source Sequence 451 Modify the Default Rule in the Low-Impact Policy Set 451 Assign the WLCs and Switches to the Low-Impact Stage NDG 452 Modify the Default Port ACL on the Switches That Will Be Part of Low-Impact Mode 453 Monitoring in Low-Impact Mode 454 Tightening Security 454 Creating AuthZ Policies for the Specific Roles 454 Change Default Authentication Rule to Deny Access 456 Moving Switch Ports from Multi-Auth to Multi-Domain 457 Summary 458 Chapter 23 Closed Mode 459 Transitioning from Monitor Mode to Closed Mode 461 Configuring ISE for Closed Mode 461 Set Up the Closed Mode Policy Set in ISE 461 Duplicate the Monitor Mode Policy Set 462 Create the Web Authentication Authorization Result 463 Configure the Web Authentication Identity Source Sequence 466 Modify the Default Rule in the Closed Policy Set 467 Assign the WLCs and Switches to the Closed Stage NDG 468 Modify the Default Port ACL on the Switches That Will Be Part of Closed Mode 469 Monitoring in Closed Mode 469 Tightening Security 469 Creating Authorization Policies for the Specific Roles 470 Change Default Authentication Rule to Deny Access 472 Moving Switch Ports from Multi-Auth to MDA 473 Summary 474 Section VI Advanced Secure Unified Access Features Chapter 24 Advanced Profiling Configuration 475 Creating Custom Profiles for Unknown Endpoints 475 Identifying Unique Values for an Unknown Device 476 Collecting Information for Custom Profiles 478 Creating Custom Profiler Conditions 479 Creating Custom Profiler Policies 480 Advanced NetFlow Probe Configuration 481 Commonly Used NetFlow Attributes 483 Example Profiler Policy Using NetFlow 483 Designing for Efficient Collection of NetFlow Data 484 Configuration of NetFlow on Cisco Devices 485 Profiler COA and Exceptions 488 Types of CoA 489 Creating Exceptions Actions 489 Configuring CoA and Exceptions in Profiler Policies 490 Profiler Monitoring and Reporting 491 Summary 494 Chapter 25 Security Group Access 495 Ingress Access Control Challenges 495 VLAN Assignment 495 Ingress Access Control Lists 498 What Is Security Group Access? 499 So, What Is a Security Group Tag? 500 Defining the SGTs 501 Classification 504 Dynamically Assigning SGT via 802.1X 504 Manually Assigning SGT at the Port 506 Manually Binding IP Addresses to SGTs 506 Access Layer Devices That Do Not Support SGTs 507 Transport: Security Group eXchange Protocol (SXP) 508 SXP Design 508 Configuring SXP on IOS Devices 509 Configuring SXP on Wireless LAN Controllers 511 Configuring SXP on Cisco ASA 513 Transport: Native Tagging 516 Configuring Native SGT Propogation (Tagging) 517 Configuring SGT Propagation on Cisco IOS Switches 518 Configuring SGT Propagation on a Catalyst 6500 520 Configuring SGT Propagation on a Nexus Series Switch 522 Enforcement 523 SGACL 524 Creating the SG-ACL in ISE 526 Configure ISE to Allow the SGACLs to Be Downloaded 531 Configure the Switches to Download SGACLs from ISE 532 Validating the PAC File and CTS Data Downloads 533 Security Group Firewalls 535 Security Group Firewall on the ASA 535 Security Group Firewall on the ISR and ASR 543 Summary 546 Chapter 26 MACSec and NDAC 547 MACSec 548 Downlink MACSec 549 Switch Configuration Modes 551 ISE Configuration 552 Uplink MACSec 553 Network Device Admission Control 557 Creating an NDAC Domain 558 Configuring ISE 558 Configuring the Seed Device 562 Adding Non-Seed Switches 564 Configuring the Switch Interfaces for Both Seed and Non-Seed 566 MACSec Sequence in an NDAC Domain 567 Summary 568 Chapter 27 Network Edge Authentication Topology 569 NEAT Explained 570 Configuring NEAT 571 Preparing ISE for NEAT 571 Create the User Identity Group and Identity 571 Create the Authorization Profile 572 Create the Authorization Rule 573 Access Switch (Authenticator) Configuration 574 Desktop Switch (Supplicant) Configuration 574 Summary 575 Section VII Monitoring, Maintenance, and Troubleshooting Chapter 28 Understanding Monitoring and Alerting 577 ISE Monitoring 577 Live Authentications Log 578 Monitoring Endpoints 580 Global Search 581 Monitoring Node in a Distributed Deployment 584 Device Configuration for Monitoring 584 ISE Reporting 585 Data Repository Setup 586 ISE Alarms 587 Summary 588 Chapter 29 Troubleshooting 589 Diagnostics Tools 589 RADIUS Authentication Troubleshooting 589 Evaluate Configuration Validator 591 TCP Dump 594 Troubleshooting Methodology 596 Troubleshooting Authentication and Authorization 596 Option 1: No Live Log Entry Exists 597 Option 2: An Entry Exists in the Live Log 603 General High-Level Troubleshooting Flowchart 605 Troubleshooting WebAuth and URL Redirection 605 Active Directory Is Disconnected 610 Debug Situations: ISE Logs 611 The Support Bundle 611 Common Error Messages and Alarms 613 EAP Connection Timeout 613 Dynamic Authorization Failed 615 WebAuth Loop 617 Account Lockout 617 ISE Node Communication 617 Summary 618 Chapter 30 Backup, Patching, and Upgrading 619 Repositories 619 Configuring a Repository 619 Backup 625 Restore 628 Patching 629 Upgrading 632 Summary 634 Appendix A Sample User Community Deployment Messaging Material 635 Appendix B Sample ISE Deployment Questionnaire 639 Appendix C Configuring the Microsoft CA for BYOD 645 Appendix D Using a Cisco IOS Certificate Authority for BYOD Onboarding 669 Appendix E Sample Switch Configurations 675 TOC, 9781587143250, 5/15/2013show more

Rating details

1 ratings
3 out of 5 stars
5 0% (0)
4 0% (0)
3 100% (1)
2 0% (0)
1 0% (0)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X