Cisco ISE for BYOD and Secure Unified Access

Book description

Plan and deploy identity-based secure access for BYOD and borderless networks

Using Cisco Secure Unified Access Architecture and Cisco Identity Services Engine, you can secure and regain control of borderless networks in a Bring Your Own Device (BYOD) world. This book covers the complete lifecycle of protecting a modern borderless network using these advanced solutions, from planning an architecture through deployment, management, and troubleshooting.

Cisco ISE for BYOD and Secure Unified Access begins by reviewing the business case for an identity solution. Next, you’ll walk through identifying users, devices, and security posture; gain a deep understanding of Cisco’s Secure Unified Access solution; and master powerful techniques for securing borderless networks, from device isolation to protocol-independent network segmentation.

You’ll find in-depth coverage of all relevant technologies and techniques, including 802.1X, profiling, device onboarding, guest lifecycle management, network admission control, RADIUS, and Security Group Access.

Drawing on their cutting-edge experience supporting Cisco enterprise customers, the authors present detailed sample configurations to help you plan your own integrated identity solution. Whether you’re a technical professional or an IT manager, this guide will help you provide reliable secure access for BYOD, CYOD (Choose Your Own Device), or any IT model you choose.

  • Review the new security challenges associated with borderless networks, ubiquitous mobility, and consumerized IT

  • Understand the building blocks of an Identity Services Engine (ISE) solution

  • Design an ISE-Enabled network, plan/distribute ISE functions, and prepare for rollout

  • Build context-aware security policies

  • Configure device profiling, endpoint posture assessments, and guest services

  • Implement secure guest lifecycle management, from WebAuth to sponsored guest access

  • Configure ISE, network access devices, and supplicants, step-by-step

  • Walk through a phased deployment that ensures zero downtime

  • Apply best practices to avoid the pitfalls of BYOD secure access

  • Simplify administration with self-service onboarding and registration

  • Deploy Security Group Access, Cisco’s tagging enforcement solution

  • Add Layer 2 encryption to secure traffic flows

  • Use Network Edge Access Topology to extend secure access beyond the wiring closet

  • Monitor, maintain, and troubleshoot ISE and your entire Secure Unified Access system

  • Table of contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. About the Authors
    5. About the Technical Reviewers
    6. Dedications
    7. Acknowledgments
    8. Contents at a Glance
    9. Contents
    10. Command Syntax Conventions
    11. Introduction
      1. Objectives of This Book
      2. Who Should Read This Book?
      3. How This Book Is Organized
    12. Section I: The Evolution of Identity Enabled Networks
      1. Chapter 1. Regain Control of Your IT Security
        1. Security: A Weakest-Link Problem with Ever More Links
        2. Cisco Identity Services Engine
        3. Summary
      2. Chapter 2. Introducing Cisco Identity Services Engine
        1. Systems Approach to Centralized Network Security Policy
        2. What Is the Cisco Identity Services Engine?
        3. ISE Authorization Rules
        4. Summary
    13. Section II: The Blueprint, Designing an ISE Enabled Network
      1. Chapter 3. The Building Blocks in an Identity Services Engine Design
        1. ISE Solution Components Explained
        2. ISE Personas
        3. ISE Licensing, Requirements, and Performance
        4. ISE Policy-Based Structure Explained
        5. Summary
      2. Chapter 4. Making Sense of All the ISE Deployment Design Options
        1. Centralized Versus Distributed Deployment
        2. Summary
      3. Chapter 5. Following a Phased Deployment
        1. Why Use a Phased Deployment Approach?
        2. Monitor Mode
        3. Choosing Your End-State Mode
        4. Transitioning from Monitor Mode into an End-State Mode
        5. Summary
    14. Section III: The Foundation, Building a Context-Aware Security Policy
      1. Chapter 6. Building a Cisco ISE Network Access Security Policy
        1. What Makes Up a Cisco ISE Network Access Security Policy?
        2. Involving the Right People in the Creation of the Network Access Security Policy
        3. Determining the High-Level Goals for Network Access Security
        4. Common High-Level Network Access Security Goals
        5. Defining the Security Domains
        6. Understanding and Defining ISE Authorization Rules
        7. Establishing Acceptable Use Policies
        8. Defining Network Access Privileges
        9. Summary
      2. Chapter 7. Building a Device Security Policy
        1. Host Security Posture Assessment Rules to Consider
        2. ISE Device Profiling
        3. Summary
      3. Chapter 8. Building an ISE Accounting and Auditing Policy
        1. Why You Need Accounting and Auditing for ISE
        2. Using PCI DSS as Your ISE Auditing Framework
        3. Cisco ISE User Accounting
        4. Summary
    15. Section IV: Configuration
      1. Chapter 9. The Basics: Principal Configuration Tasks for Cisco ISE
        1. Bootstrapping Cisco ISE
        2. Using the Cisco ISE Setup Assistant Wizard
        3. Configuring Network Devices for ISE
        4. Completing the Basic ISE Setup
        5. Installing ISE Behind a Firewall
        6. Role-Based Access Control for Administrators
        7. Summary
      2. Chapter 10. Profiling Basics
        1. Understanding Profiling Concepts
        2. Examining Profiling Policies
        3. Using Profiles in Authorization Policies
        4. Feed Service
        5. Summary
      3. Chapter 11. Bootstrapping Network Access Devices
        1. Bootstrap Wizard
        2. Cisco Catalyst Switches
        3. Cisco Wireless LAN Controllers
        4. Summary
      4. Chapter 12. Authorization Policy Elements
        1. Authorization Results
        2. Summary
      5. Chapter 13. Authentication and Authorization Policies
        1. Relationship Between Authentication and Authorization
        2. Authentication Policies
        3. Understanding Authentication Policies
        4. Authorization Policies
        5. Saving Attributes for Re-Use
        6. Summary
      6. Chapter 14. Guest Lifecycle Management
        1. Guest Portal Configuration
        2. Guest Sponsor Configuration
        3. Authentication and Authorization Guest Policies
        4. Guest Sponsor Portal Configuration
        5. Guest Sponsor Portal Usage
        6. Configuration of Network Devices for Guest CWA
        7. Summary
      7. Chapter 15. Device Posture Assessment
        1. ISE Posture Assessment Flow
        2. Configure Global Posture and Client Provisioning Settings
        3. Configure the NAC Agent and NAC Client Provisioning Settings
        4. Configure Posture Conditions
        5. Configure Posture Remediation
        6. Configure Posture Requirements
        7. Configure Posture Policy
        8. Enabling Posture Assessment in the Network
        9. Summary
      8. Chapter 16. Supplicant Configuration
        1. Comparison of Popular Supplicants
        2. Configuring Common Supplicants
        3. Summary
      9. Chapter 17. BYOD: Self-Service Onboarding and Registration
        1. BYOD Challenges
        2. Onboarding Process
        3. Managing Endpoints
        4. The Opposite of BYOD: Identify Corporate Systems
        5. Summary
      10. Chapter 18. Setting Up a Distributed Deployment
        1. Configuring ISE Nodes in a Distributed Environment
        2. Understanding the HA Options Available
        3. Node Groups
        4. Using Load Balancers
        5. Summary
      11. Chapter 19. Inline Posture Node
        1. Use Cases for the Inline Posture Node
        2. Summary
    16. Section V: Deployment Best Practices
      1. Chapter 20. Deployment Phases
        1. Why Use a Phased Approach?
        2. Monitor Mode
        3. Low-Impact Mode
        4. Closed Mode
        5. Transitioning from Monitor Mode to Your End State
        6. Wireless Networks
        7. Summary
      2. Chapter 21. Monitor Mode
        1. Endpoint Discovery
        2. Using Monitoring to Identify Misconfigured Devices
        3. Summary
      3. Chapter 22. Low-Impact Mode
        1. Transitioning from Monitor Mode to Low-Impact Mode
        2. Configuring ISE for Low-Impact Mode
        3. Monitoring in Low-Impact Mode
        4. Tightening Security
        5. Summary
      4. Chapter 23. Closed Mode
        1. Transitioning from Monitor Mode to Closed Mode
        2. Configuring ISE for Closed Mode
        3. Monitoring in Closed Mode
        4. Tightening Security
        5. Summary
    17. Section VI: Advanced Secure Unified Access Features
      1. Chapter 24. Advanced Profiling Configuration
        1. Creating Custom Profiles for Unknown Endpoints
        2. Advanced NetFlow Probe Configuration
        3. Profiler COA and Exceptions
        4. Profiler Monitoring and Reporting
        5. Summary
      2. Chapter 25. Security Group Access
        1. Ingress Access Control Challenges
        2. What Is Security Group Access?
        3. Transport: Security Group eXchange Protocol (SXP)
        4. Transport: Native Tagging
        5. Enforcement
        6. Summary
      3. Chapter 26. MACSec and NDAC
        1. MACSec
        2. Network Device Admission Control
        3. Summary
      4. Chapter 27. Network Edge Authentication Topology
        1. NEAT Explained
        2. Configuring NEAT
        3. Summary
    18. Section VII: Monitoring, Maintenance, and Troubleshooting
      1. Chapter 28. Understanding Monitoring and Alerting
        1. ISE Monitoring
        2. ISE Reporting
        3. ISE Alarms
        4. Summary
      2. Chapter 29. Troubleshooting
        1. Diagnostics Tools
        2. Troubleshooting Methodology
        3. Common Error Messages and Alarms
        4. ISE Node Communication
        5. Summary
      3. Chapter 30. Backup, Patching, and Upgrading
        1. Repositories
        2. Backup
        3. Restore
        4. Summary
    19. Appendix A. Sample User Community Deployment Messaging Material
      1. Sample Identity Services Engine Requirement Change Notification Email
      2. Sample Identity Services Engine Notice for a Bulletin Board or Poster
      3. Sample Identity Services Engine Letter to Students
    20. Appendix B. Sample ISE Deployment Questionnaire
    21. Appendix C. Configuring the Microsoft CA for BYOD
      1. CA Requirements
      2. Other Useful Information
      3. Microsoft Hotfixes
      4. AD Account Roles
      5. Configuration Steps
      6. Configure the Certificate Template
      7. Useful Links
    22. Appendix D. Using a Cisco IOS Certificate Authority for BYOD Onboarding
      1. Set Hostname, Domain Name, and HTTP Server
      2. Generate and Export the RSA Key Pair for the Certificate Server
      3. Configure the CA Server on the Router
      4. Important Notes
    23. Appendix E. Sample Switch Configurations
      1. Catalyst 3000 Series, 12.2(55)SE
      2. Catalyst 3000 Series, 15.0(2)SE
      3. Catalyst 4500 Series, IOS-XE 3.3.0 / 15.1(1)SG
      4. Catalyst 6500 Series, 12.2(33)SXJ
    24. Index

    Product information

    • Title: Cisco ISE for BYOD and Secure Unified Access
    • Author(s): Jamey Heary, Aaron Woland
    • Release date: June 2013
    • Publisher(s): Cisco Press
    • ISBN: 9780133103632