Tuesday, May 22, 2012

Cisco ISE and Wireless BYOD

A recent opportunity came up to deploy Cisco Identity Services Engine or ISE for a client in support of BYOD.  The goal for the our client was to provide a way for persons belonging to a specific AD group (a BYOD group) to have access to the outside internet via their wireless mobile devices utilizing their internal AD credentials, but not having access to the internal network resources with those same devices.  We attempted to do this via the WLAN controllers, but what we discovered was that WLAN controllers could not query an AD group, which was a limitation of the controllers software.  Asking Cisco why lead us to Cisco's ISE product.  We downloaded a 90 day licensed version of ISE and had installed on the network.

From initially logging in we could tell that ISE was going a monster of a program, with more buttons and knobs than we could wrap our heads around.  One of the biggest things we were looking for was the ability to limit access to a WLAN SSID based on an AD group.  By utilizing the ISE's ability to match RADIUS attributes utilizing regular expressions, we were able to isolate the SSID for authentication.  We were also easily able to query AD for group membership and built a matching query string.  Something we struggled with for weeks on the WLCs.  Once we built a policy on that criteria we were in business.  Essentially, the policy said that if you are connecting to this SSID but you are not in the approved AD group you are not getting on the network with that device.  Exactly what the client was looking for.

So we accomplished what we set out to do in short order, but ISE provided more features to meet the clients WLAN security needs.  At the time, the client had MAC address filtering on the WLCs for company assets, which is a very manual process of placing the each WLAN NIC's MAC addresses in the controllers for each individual PC.  This is a large administrative overhead that was implemented because of unauthorized devices that were accessing the corporate wireless, and corporate resources.  This is a less then desirable solution because of potential of MAC address spoofing attacks.

The next request from the client was to figure out if ISE could identify which machines were company assets and which were not, and to allow those assets access to cooperate wireless and deny access to the rest automatically, thus they can decommission the WLAN MAC address filtering.  This one took quite a bit a time to figure out.  Again we matched on the RADIUS attributes, and tried to match on domain membership.  We failed again and again and tried many scenarios.  Finally, we decided to enable machine authentication through Cisco's AnyConnect Client.  Which meant the machine had to pass authentication against AD.  We ran into other problems though, the machine would authenticate, and the user would authenticate, but they were not tied together.  ISE provided an answer.  We were able to build a policy that essentially made ISE check to see if a machine that the user was logging into was authenticated against AD before letting a user on.  If it was true and the machine was authenticated and the user passed AD authorization, then they were let on to the corporate wireless, but if the machine could not be authenticate then the user was also denied access, even if they had valid user credentials.

It was a very slick solution, and this was only for wireless access.  ISE has many other granular interrogation abilities when implemented on the wire with  dot1X authentication, and a great profiling and posturing abilities.  But I can say that ISE is not an easy solution.  You have to really know what your goal is and an idea of how to accomplish it.  You also have to understand the protocols being used and what information is contained within them.  ISE also takes time.  Policies can break other policies and like an ACL the first match wins, which could leave holes for malicious users.  We spent days building policies that seemed worked, and many other days testing to ensure those policies worked in all cases, only to find loopholes that violate corporate security policy.  We are currently working on the other capabilities of ISE for our client and I will share our impressions and findings as we progress through more challenges and opportunities.

No comments:

Post a Comment