BYOD - Identification and Authentication Deployment Guide

BYOD - Identification and Authentication Deployment Guide

Introduction

Note

This guide is based on the Cisco SBA Borderless Networks LAN

and WLAN 802.1X Deployment Guide. The goal of this guide is to show you how a BYOD business problem can be solved by using

Cisco Smart Business Architecture. Cisco has previously developed solutions to solve issues that are similar to the various BYOD business problems. Cisco SBA uses 802.1X to solve the BYOD problem of identifying and authenticating devices.

There is a trend in the marketplace that is often referred to as Bring Your

Own Device (BYOD). BYOD is a spectrum of business problems that can be solved in various ways. This ranges from guest wireless access all the way to device authentication and identification. The goal is to provide a common work-environment regardless of the type of device being used. This could be through a virtualized desktop or by allowing users to self-register devices for use on the network.

Organizations are experiencing an unprecedented transformation in the network landscape. In the past, IT typically provided network resources only to corporate-managed PCs, such as laptops and desktops. Today, employees are requiring access from both corporate managed and unmanaged devices including mobile devices like smart phones and tablets. This rapid proliferation of mobile devices capable of supporting applications drastically increases workforce mobility and productivity, but it also presents an enormous challenge to IT organizations seeking to enforce security policies across a growing population of devices, operating systems, and connectivity profiles.

This evolution of mobile device usage and the introduction of mobile devices into the workplace has caused a paradigm shift in how IT views what qualifies as a network “end point device” and also what it means to “be at work.” The distinction between a device used exclusively for “work” and a device used exclusively for “personal use” has evolved.

February 2012 Series

An organization needs to know not only who is accessing their wired and wireless networks, but also when the networks were accessed and from where. In addition, with the wide adoption of nontraditional devices such as smart phones and tablets, and people bringing their own devices to access the network, organizations need to know how many of these devices are connecting. With this information the organization can create policy to prevent connection by nontraditional devices, limit connection to approved devices, or make access to network resources easier for these nontraditional devices. This presents a challenge for IT organizations that seek to provide end users with a consistent network access experience and the freedom to use any device, while still enforcing stringent security policies to protect corporate intellectual property. Further complicating the situation is delivering both consistent access and enforcing proper security policy based on the specific user access scenario (wired, wireless, guest, local, branch, and remote users).

To balance the productivity gains versus the security risks, IT needs to implement a solution that allows for seamless on-boarding of users and devices, simplicity of on-going operations, and the ability to extend enduser applications to any user or any device at any time.

Other SBA Borderless Networks guides addressing BYOD business problems include:

• BYOD—Internal Corporate Access Deployment Guide

• BYOD—Guest Wireless Access Deployment Guide

• BYOD—Remote Mobile Device Access Deployment Guide

Business Overview

With an increasingly mobile workforce and a diverse number of platforms used to gain access to the network, organizations are looking for ways to monitor and control network access. An organization needs to know not only who is accessing their wired and wireless networks, but also when the networks were accessed and from where. In addition, with the wide adoption of nontraditional devices such as smart phones and tablets, and people bringing their own devices to access the network, organizations need to know how many of these devices are connecting. With this information, the organization can create policy to prevent connection by nontraditional devices, limit connection to approved devices, or make access to network resources easier for these non-traditional devices.

Organizations are being driven by industry and regulatory compliance (PCI,

Sarbanes-Oxley) to be able to report on who is accessing the organization’s information, where they are accessing it from, and what type of device

Introduction

2

they are using to access it. Government mandates like Federal Information

Processing Standard (FIPS) and Federal Information Security Management

Act (FISMA) are also requiring agencies and entities working with government agencies to track this information. In some cases, an organization may choose to limit access to certain information to adhere to these regulations.

This information is also key data that can be used to generate advanced security policies. Organizations see this as a daunting task requiring the use of several advanced technologies and often delay implementing a solution simply because they don’t know where to begin.

This guide is the first step in deploying a complete identity-based architecture. Future projects will address additional use cases that will focus on the features that will provide for things like enforcement, guest access, and confidentiality.

Technology Overview

Cisco Identity Services Engine (ISE) is an identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. Cisco ISE is a core component of Cisco TrustSec. Its architecture allows an organization to gather real-time contextual information from the network, users, and devices to make proactive policy decisions by tying identity into network elements like access switches, wireless controllers, and VPN gateways.

This deployment uses Cisco ISE as the authentication and accounting server for the wired and wireless networks as well as for remote access VPN users who connect using RADIUS. Cisco ISE acts as a proxy to the existing

Active Directory (AD) services to maintain a centralized identity store for all network services.

In addition to authentication, this deployment uses Cisco ISE to profile devices to determine the specific type of devices that are accessing the network. This is done by examining network traffic for certain criteria based on certain characteristics. Cisco ISE currently has probes for Dynamic

Host Configuration Protocol (DHCP), HTTP, RADIUS, Domain Name System

(DNS), Simple Name Management Protocol (SNMP) traps and queries, and

Netflow. To analyze the traffic, the engine can be deployed as an inline policy enforcement device or the traffic can be forwarded to the engine.

As an example, the network infrastructure is configured to send copies of the DHCP requests to Cisco ISE for analysis. The engine then evaluates the DHCP request and can identify the device based off of the data in the request. For example, Cisco IP Phones are identified by their DHCP class identifier.

In the LAN, there are three modes for deploying TrustSec: monitor mode, authenticated mode, and enforcement mode. Cisco recommends a phased deployment model that can allow for limited impact on network access while gradually introducing authentication/authorization on the network. This document covers the deployment of monitor mode both at the headquarters site and the remote sites, with Cisco ISE being centralized in the data center.

The monitor mode deployment in use deploys two features within IOS on the switches in the access layer at both the headquarters sites as well as the remote sites. The first is MAC Authentication Bypass (MAB), which authenticates the device on the switch port by the MAC address. Monitor mode logs the MAC addresses that connect and grant access to any device that connects. The second feature is 802.1X open mode, which allows the switch port to give unrestricted access to the network even though authentication and authorization have not been performed. This enables the deployment of identity without affecting existing connectivity. This phased approach allows us to prepare for moving to another mode (for instance, authenticated or enforcement) in the future. In the organization, these switch configurations will be managed by Cisco LAN Management Solution (LMS) 4.1 and the new Identity WorkCenter. Cisco LMS simplifies the deployment of identity by performing a network readiness assessment for an identity deployment, providing templates for the various modes—monitor, authenticated, enforcement—and providing a step-by-step wizard to configure the various components required.

You accomplish integrating Cisco ISE into the wireless network by using

Cisco ISE as the RADIUS server for wireless 802.1X authentication and accounting. You configure this on every wireless LAN controller (WLC) in the network, at both headquarters and the remote sites. The one exception is for the controller used for guest access. You can also configure the WLCs to forward DHCP requests to Cisco ISE to enable the profiling of wireless endpoints.

February 2012 Series

Introduction

3

Figure 1 - Cisco ISE integration into Cisco SBA

February 2012 Series

Introduction

4

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project