- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
Plan and deploy identity-based secure access for BYOD and borderless networksUsing Cisco Secure Unified Access Architecture and Cisco Identity Services Engine, you can secure and regain control of borderless networks in a Bring Your Own Device (BYOD) world. This book covers the complete lifecycle of protecting a modern borderless network using these advanced solutions, from planning an architecture through deployment, management, and troubleshooting.Cisco ISE for BYOD and Secure Unified Access begins by reviewing the business case for an identity solution. Next, you'll walk through identifying users, devices, and security posture; gain a deep understanding of Cisco's Secure Unified Access solution; and master powerful techniques for securing borderless networks, from device isolation to protocol-independent network segmentation.You'll find in-depth coverage of all relevant technologies and techniques, including 802.1X, profiling, device onboarding, guest lifecycle management, network admission control, RADIUS, and Security Group Access.Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors present detailed sample configurations to help you plan your own integrated identity solution. Whether you're a technical professional or an IT manager, this guide will help you provide reliable secure access for BYOD, CYOD (Choose Your Own Device), or any IT model you choose.Review the new security challenges associated with borderless networks, ubiquitous mobility, and consumerized IT Understand the building blocks of an Identity Services Engine (ISE) solution Design an ISE-Enabled network, plan/distribute ISE functions, and prepare for rollout Build context-aware security policies Configure device profiling, endpoint posture assessments, and guest services Implement secure guest lifecycle management, from WebAuth to sponsored guest access Configure ISE, network access devices, and supplicants, step-by-step Walk through a phased deployment that ensures zero downtime Apply best practices to avoid the pitfalls of BYOD secure access Simplify administration with self-service onboarding and registration Deploy Security Group Access, Cisco's tagging enforcement solution Add Layer 2 encryption to secure traffic flows Use Network Edge Access Topology to extend secure access beyond the wiring closet Monitor, maintain, and troubleshoot ISE and your entire Secure Unified Access system
Contents
Introduction xxviSection I The Evolution of Identity Enabled NetworksChapter 1 Regain Control of Your IT Security 1Security: A Weakest-Link Problem with Ever More Links 2Cisco Identity Services Engine 3Sources for Providing Identity and Context Awareness 4Unleash the Power of Centralized Policy 5Summary 6Chapter 2 Introducing Cisco Identity Services Engine 7Systems Approach to Centralized Network Security Policy 7What Is the Cisco Identity Services Engine? 9ISE Authorization Rules 12Summary 13Section II The Blueprint, Designing an ISE Enabled NetworkChapter 3 The Building Blocks in an Identity Services Engine Design 15ISE Solution Components Explained 15Infrastructure Components 16Policy Components 20Endpoint Components 20ISE Personas 21ISE Licensing, Requirements, and Performance 22ISE Licensing 23ISE Requirements 23ISE Performance 25ISE Policy-Based Structure Explained 27Summary 28Chapter 4 Making Sense of All the ISE Deployment Design Options 29Centralized Versus Distributed Deployment 29Centralized Deployment 30Distributed Deployment 32Summary 35Chapter 5 Following a Phased Deployment 37Why Use a Phased Deployment Approach? 37Monitor Mode 38Choosing Your End-State Mode 40End-State Choice 1: Low-Impact Mode 42End-State Choice 2: Closed Mode 44Transitioning from Monitor Mode into an End-State Mode 45Summary 46Section III The Foundation, Building a Context-Aware Security PolicyChapter 6 Building a Cisco ISE Network Access Security Policy 47What Makes Up a Cisco ISE Network Access Security Policy? 47Network Access Security Policy Checklist 48Involving the Right People in the Creation of the Network Access Security Policy 49Determining the High-Level Goals for Network Access Security 51Common High-Level Network Access Security Goals 52Defining the Security Domains 55Understanding and Defining ISE Authorization Rules 57Commonly Configured Rules and Their Purpose 58Establishing Acceptable Use Policies 59Defining Network Access Privileges 61Enforcement Methods Available with ISE 61Commonly Used Network Access Security Policies 62Summary 65Chapter 7 Building a Device Security Policy 67Host Security Posture Assessment Rules to Consider 67Sample NASP Format for Documenting ISE Posture Requirements 72Common Checks, Rules, and Requirements 74Method for Adding Posture Policy Rules 74Research and Information 75Establishing Criteria to Determine the Validity of a Security Posture Check, Rule, or Requirement in Your Organization 76Method for Determining Which Posture Policy Rules a Particular Security Requirement Should Be Applied To 77Method for Deploying and Enforcing Security Requirements 78ISE Device Profiling 79ISE Profiling Policies 80ISE Profiler Data Sources 81Using Device Profiles in Authorization Rules 82Summary 82Chapter 8 Building an ISE Accounting and Auditing Policy 83Why You Need Accounting and Auditing for ISE 83Using PCI DSS as Your ISE Auditing Framework 84ISE Policy for PCI 10.1: Ensuring Unique Usernames and Passwords 87ISE Policy for PCI 10.2 and 10.3: Audit Log Collection 89ISE Policy for PCI 10.5.3, 10.5.4, and 10.7: Ensure the Integrity and Confidentiality of Log Data 90ISE Policy for PCI 10.6: Review Audit Data Regularly 91Cisco ISE User Accounting 92Summary 94Section IV ConfigurationChapter 9 The Basics: Principal Configuration Tasks for Cisco ISE 95Bootstrapping Cisco ISE 95Using the Cisco ISE Setup Assistant Wizard 98Configuring Network Devices for ISE 106Wired Switch Configuration Basics 106Wireless Controller Configuration Basics 109Completing the Basic ISE Setup 113Install ISE Licenses 113ISE Certificates 114Installing ISE Behind a Firewall 116Role-Based Access Control for Administrators 121RBAC for ISE GUI 121RBAC: Session and Access Settings and Restrictions 121RBAC: Authentication 123RBAC: Authorization 124Summary 126Chapter 10 Profiling Basics 127Understanding Profiling Concepts 127Probes 130Probe Configuration 130Deployment Considerations 133DHCP 134Deployment Considerations 135NetFlow 137Deployment Considerations 137RADIUS 137Deployment Considerations 138Network Scan (NMAP) 138Deployment Considerations 139DNS 139Deployment Considerations 139SNMP 140Deployment Considerations 140IOS Device-Sensor 141Change of Authorization 142CoA Message Types 142Configuring Change of Authorization in ISE 143Infrastructure Configuration 144DHCP Helper 145SPAN Configuration 145VLAN Access Control Lists (VACL) 146VMware Configurations to Allow Promiscuous Mode 148Best Practice Recommendations 149Examining Profiling Policies 152Endpoint Profile Policies 152Cisco IP Phone 7970 Example 155Using Profiles in Authorization Policies 161Endpoint Identity Groups 161EndPointPolicy 163Logical Profiles 164Feed Service 166Configuring the Feed Service 166Summary 168Chapter 11 Bootstrapping Network Access Devices 169Bootstrap Wizard 169Cisco Catalyst Switches 170Global Configuration Settings for All Cisco IOS 12.2 and 15.x Switches 170Configure Certificates on a Switch 170Enable the Switch HTTP/HTTPS Server 170Global AAA Commands 171Global RADIUS Commands 172Create Local Access Control Lists 174Global 802.1X Commands 175Global Logging Commands (Optional) 175Global Profiling Commands 177Interface Configuration Settings for All Cisco Switches 179Configure Interfaces as Switch Ports 179Configure Flexible Authentication and High Availability 179Configure Authentication Settings 182Configure Authentication Timers 184Apply the Initial ACL to the Port and Enable Authentication 184Cisco Wireless LAN Controllers 184Configure the AAA Servers 185Add the RADIUS Authentication Servers 185Add the RADIUS Accounting Servers 186Configure RADIUS Fallback (High Availability) 187Configure the Airespace ACLs 188Create the Web Authentication Redirection ACL 188Create the Posture Agent Redirection ACL 191Create the Dynamic Interfaces for the Client VLANs 193Create the Employee Dynamic Interface 193Create the Guest Dynamic Interface 194Create the Wireless LANs 195Create the Guest WLAN 195Create the Corporate SSID 199Summary 202Chapter 12 Authorization Policy Elements 205Authorization Results 206Configuring Authorization Downloadable ACLs 207Configuring Authorization Profiles 209Summary 212Chapter 13 Authentication and Authorization Policies 215Relationship Between Authentication and Authorization 215Authentication Policies 216Goals of an Authentication Policy 216Accept Only Allowed Protocols 216Route to the Correct Identity Store 216Validate the Identity 217Pass the Request to the Authorization Policy 217Understanding Authentication Policies 217Conditions 218Allowed Protocols 220Identity Store 224Options 224Common Authentication Policy Examples 224Using the Wireless SSID 225Remote-Access VPN 228Alternative ID Stores Based on EAP Type 230Authorization Policies 232Goals of Authorization Policies 232Understanding Authorization Policies 233Role-Specific Authorization Rules 237Authorization Policy Example 237Employee and Corporate Machine Full-Access Rule 238Internet Only for iDevices 240Employee Limited Access Rule 243Saving Attributes for Re-Use 246Summary 248Chapter 14 Guest Lifecycle Management 249Guest Portal Configuration 251Configuring Identity Source(s) 252Guest Sponsor Configuration 254Guest Time Profiles 254Guest Sponsor Groups 255Sponsor Group Policies 257Authentication and Authorization Guest Policies 258Guest Pre-Authentication Authorization Policy 258Guest Post-Authentication Authorization Policy 262Guest Sponsor Portal Configuration 263Guest Portal Interface and IP Configuration 264Sponsor and Guest Portal Customization 264Customize the Sponsor Portal 264Creating a Simple URL for Sponsor Portal 265Guest Portal Customization 265Customizing Portal Theme 266Creating Multiple Portals 268Guest Sponsor Portal Usage 271Sponsor Portal Layout 271Creating Guest Accounts 273Managing Guest Accounts 273Configuration of Network Devices for Guest CWA 274Wired Switches 274Wireless LAN Controllers 275Summary 277Chapter 15 Device Posture Assessment 279ISE Posture Assessment Flow 280Configure Global Posture and Client Provisioning Settings 283Posture Client Provisioning Global Setup 283Posture Global Setup 285General Settings 285Reassessments 286Updates 287Acceptable Use Policy 287Configure the NAC Agent and NAC Client Provisioning Settings 288Configure Posture Conditions 289Configure Posture Remediation 292Configure Posture Requirements 295Configure Posture Policy 296Enabling Posture Assessment in the Network 298Summary 299Chapter 16 Supplicant Configuration 301Comparison of Popular Supplicants 302Configuring Common Supplicants 303Mac OS X 10.8.2 Native Supplicant Configuration 303Windows GPO Configuration for Wired Supplicant 305Windows 7 Native Supplicant Configuration 309Cisco AnyConnect Secure Mobility Client NAM 312Summary 317Chapter 17 BYOD: Self-Service Onboarding and Registration 319BYOD Challenges 320Onboarding Process 322BYOD Onboarding 322Dual SSID 322Single SSID 323Configuring NADs for Onboarding 324ISE Configuration for Onboarding 329End-User Experience 330Configuring ISE for Onboarding 347BYOD Onboarding Process Detailed 357MDM Onboarding 367Integration Points 367Configuring MDM Integration 368Configuring MDM Onboarding Policies 369Managing Endpoints 372Self Management 373Administrative Management 373The Opposite of BYOD: Identify Corporate Systems 374EAP Chaining 375Summary 376Chapter 18 Setting Up a Distributed Deployment 377Configuring ISE Nodes in a Distributed Environment 377Make the Policy Administration Node a Primary Device 377Register an ISE Node to the Deployment 379Ensure the Persona of All Nodes Is Accurate 381Understanding the HA Options Available 382Primary and Secondary Nodes 382Monitoring and Troubleshooting Nodes 382Policy Administration Nodes 384Promoting the Secondary PAN to Primary 385Node Groups 385Create a Node Group 386Add the Policy Services Nodes to the Node Group 387Using Load Balancers 388General Guidelines 388Failure Scenarios 389Summary 390Chapter 19 Inline Posture Node 391Use Cases for the Inline Posture Node 391Overview of IPN Functionality 392IPN Configuration 393IPN Modes of Operation 393Summary 394Section V Deployment Best PracticesChapter 20 Deployment Phases 395Why Use a Phased Approach? 395A Phased Approach 397Authentication Open Versus Standard 802.1X 398Monitor Mode 399Prepare ISE for a Staged Deployment 401Create the Network Device Groups 401Create the Policy Sets 403Low-Impact Mode 404Closed Mode 406Transitioning from Monitor Mode to Your End State 408Wireless Networks 409Summary 410Chapter 21 Monitor Mode 411Endpoint Discovery 412SNMP Trap Method 413Configuring the ISE Probes 414Adding the Network Device to ISE 416Configuring the Switches 418RADIUS with SNMP Query Method 420Configuring the ISE Probes 420Adding the Network Device to ISE 421Configuring the Switches 422Device Sensor Method 424Configuring the ISE Probes 425Adding the Network Device to ISE 425Configuring the Switches 426Using Monitoring to Identify Misconfigured Devices 428Tuning the Profiling Policies 428Creating the Authentication Policies for Monitor Mode 430Creating Authorization Policies for Non-Authenticating Devices 433IP-Phones 433Wireless APs 435Printers 436Creating Authorization Policies for Authenticating Devices 438Machine Authentication (Machine Auth) 438User Authentications 439Default Authorization Rule 440Summary 441Chapter 22 Low-Impact Mode 443Transitioning from Monitor Mode to Low-Impact Mode 445Configuring ISE for Low-Impact Mode 446Set Up the Low-Impact Mode Policy Set in ISE 446Duplicate the Monitor Mode Policy Set 446Create the Web Authentication Authorization Result 448Configure the Web Authentication Identity Source Sequence 451Modify the Default Rule in the Low-Impact Policy Set 451Assign the WLCs and Switches to the Low-Impact Stage NDG 452Modify the Default Port ACL on the Switches That Will Be Part of Low-Impact Mode 453Monitoring in Low-Impact Mode 454Tightening Security 454Creating AuthZ Policies for the Specific Roles 454Change Default Authentication Rule to Deny Access 456Moving Switch Ports from Multi-Auth to Multi-Domain 457Summary 458Chapter 23 Closed Mode 459Transitioning from Monitor Mode to Closed Mode 461Configuring ISE for Closed Mode 461Set Up the Closed Mode Policy Set in ISE 461Duplicate the Monitor Mode Policy Set 462Create the Web Authentication Authorization Result 463Configure the Web Authentication Identity Source Sequence 466Modify the Default Rule in the Closed Policy Set 467Assign the WLCs and Switches to the Closed Stage NDG 468Modify the Default Port ACL on the Switches That Will Be Part of Closed Mode 469Monitoring in Closed Mode 469Tightening Security 469Creating Authorization Policies for the Specific Roles 470Change Default Authentication Rule to Deny Access 472Moving Switch Ports from Multi-Auth to MDA 473Summary 474Section VI Advanced Secure Unified Access FeaturesChapter 24 Advanced Profiling Configuration 475Creating Custom Profiles for Unknown Endpoints 475Identifying Unique Values for an Unknown Device 476Collecting Information for Custom Profiles 478Creating Custom Profiler Conditions 479Creating Custom Profiler Policies 480Advanced NetFlow Probe Configuration 481Commonly Used NetFlow Attributes 483Example Profiler Policy Using NetFlow 483Designing for Efficient Collection of NetFlow Data 484Configuration of NetFlow on Cisco Devices 485Profiler COA and Exceptions 488Types of CoA 489Creating Exceptions Actions 489Configuring CoA and Exceptions in Profiler Policies 490Profiler Monitoring and Reporting 491Summary 494Chapter 25 Security Group Access 495Ingress Access Control Challenges 495VLAN Assignment 495Ingress Access Control Lists 498What Is Security Group Access? 499So, What Is a Security Group Tag? 500Defining the SGTs 501Classification 504Dynamically Assigning SGT via 802.1X 504Manually Assigning SGT at the Port 506Manually Binding IP Addresses to SGTs 506Access LayerDevices That Do Not Support SGTs 507Transport: Security Group eXchange Protocol (SXP) 508SXP Design 508Configuring SXP on IOS Devices 509Configuring SXP on Wireless LAN Controllers 511Configuring SXP on Cisco ASA 513Transport: Native Tagging 516Configuring Native SGT Propogation (Tagging) 517Configuring SGT Propagation on Cisco IOS Switches 518Configuring SGT Propagation on a Catalyst 6500 520Configuring SGT Propagation on a Nexus Series Switch 522Enforcement 523SGACL 524Creating the SG-ACL in ISE 526Configure ISE to Allow the SGACLs to Be Downloaded 531Configure the Switches to Download SGACLs from ISE 532Validating the PAC File and CTS Data Downloads 533Security Group Firewalls 535Security Group Firewall on the ASA 535Security Group Firewall on the ISR and ASR 543Summary 546Chapter 26 MACSec and NDAC 547MACSec 548Downlink MACSec 549Switch Configuration Modes 551ISE Configuration 552Uplink MACSec 553Network Device Admission Control 557Creating an NDAC Domain 558Configuring ISE 558Configuring the Seed Device 562Adding Non-Seed Switches 564Configuring the Switch Interfaces for Both Seed and Non-Seed 566MACSec Sequence in an NDAC Domain 567Summary 568Chapter 27 Network Edge Authentication Topology 569NEAT Explained 570Configuring NEAT 571Preparing ISE for NEAT 571Create the User Identity Group and Identity 571Create the Authorization Profile 572Create the Authorization Rule 573Access Switch (Authenticator) Configuration 574Desktop Switch (Supplicant) Configuration 574Summary 575Section VII Monitoring, Maintenance, and TroubleshootingChapter 28 Understanding Monitoring and Alerting 577ISE Monitoring 577Live Authentications Log 578Monitoring Endpoints 580Global Search 581Monitoring Node in a Distributed Deployment 584Device Configuration for Monitoring 584ISE Reporting 585Data Repository Setup 586ISE Alarms 587Summary 588Chapter 29 Troubleshooting 589Diagnostics Tools 589RADIUS Authentication Troubleshooting 589Evaluate Configuration Validator 591TCP Dump 594Troubleshooting Methodology 596Troubleshooting Authentication and Authorization 596Option 1: No Live Log Entry Exists 597Option 2: An Entry Exists in the Live Log 603General High-Level Troubleshooting Flowchart 605Troubleshooting WebAuth and URL Redirection 605Active Directory Is Disconnected 610Debug Situations: ISE Logs 611The Support Bundle 611Common Error Messages and Alarms 613EAP Connection Timeout 613Dynamic Authorization Failed 615WebAuth Loop 617Account Lockout 617ISE Node Communication 617Summary 618Chapter 30 Backup, Patching, and Upgrading 619Repositories 619Configuring a Repository 619Backup 625Restore 628Patching 629Upgrading 632Summary 634Appendix A Sample User Community Deployment Messaging Material 635Appendix B Sample ISE Deployment Questionnaire 639Appendix C Configuring the Microsoft CA for BYOD 645Appendix D Using a Cisco IOS Certificate Authority for BYOD Onboarding 669Appendix E Sample Switch Configurations 675TOC, 9781587143250, 5/15/2013
