Device Administration with TACACS+ using ISE 2.X
Aaron T. Woland, CCIE #20113 Principal Engineer, Security Business Group BRKSEC-2344 You are in right place if your interest is…
Control and Visibility…
Of the Administration of the Devices that form the fabric of your network…
Using ISE with TACACS+.
Laughing and Enjoying a Session at Cisco Live
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Aaron Woland, CCIE# 20113
Principal Engineer Security Business Group [email protected] @AaronWoland http://www.networkworld.com/blog/secure-network-access/
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 About Me Live in North Carolina. ”the South”
Southerners Known for: • Politeness • Courtesy • Manors • BBQ • Frying Everything!
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 About Me
But, I am from New Yorkers Known For: New York • Speaking their Mind • Being Blunt but Truthful • Not known for our Manors • Pizza & Bagels!!!!!!! New Yorker
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 About Me
I am a Father…
Of 4 Daughters!
So... Nothing Scares me anymore!
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Sarcasm “If we can’t laugh at ourselves, Then we cannot laugh at anything at all”
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Disclaimer:
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Please Fill Out The Survey!
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Agenda v2
• Introduction – Why and What is Device Administration AAA • Device Administration AAA in ISE
• Design Principles
• Components (Policy Elements, Policy Sets) • NAD Types
• AAA Models
• Configuring the NADs • Configuring Device Administration in ISE
• IOS / WLC / Nexus • Proof is in the Pudding • Migrating from ACS to ISE • Final Questions? Agenda
• Introduction
• Device Administration AAA in ISE 2.x
• Network Devices
• Configuring ISE for Device Administration • The Proof is in the Puddin’
• Migrating from ACS to ISE
• Final Conclusions Why Do Device Administration AAA?
• Centralized Control of Network Devices • Ensure Network Devices remain correctly configured • Who may do what actions to which devices, under which conditions
• Centralized Visibility of Those Actions • Reliably record those actions • Who accessed a network device and commands did they execute? • What configuration changes were made • When did this all occur? • Compliance: • SOX, HIPPA, PCI DSS • Requires secure auditing and reporting of network configuration changes
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 AAA: a Key Security Concept
• Authentication, Authorization and Accounting (AAA) • Authentication: who the user is • Authorization: what they are allowed to • Accounting: recording what they have done
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Authentication vs. Authorization
I’d like 40K from John Chambers Account
Do You Have Identification?
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Authentication vs. Authorization
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Authentication vs. Authorization
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Aaron Woland is not Authorized for John Chambers’ Account
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Authentication vs. Authorization
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Aaron Woland is not Authorized for John Chambers’ Account
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Authentication vs. Authorization
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Aaron Woland is not Authorized for John Chambers’ Account
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Authentication vs. Authorization
I’d like 40K from John Chambers Account
Do You Have Identification?
Yes, I Do. Here It Is.
Sorry, Aaron Woland is not Authorized for John Chambers’ Account
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Two Main Types of AAA Network Access AAA
RADIUS
Authentication Protocol
Common Authentication NAS / NAD Protocols • PAP AAA Client • CHAP • MS-CHAP
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Device Administration
Telnet, SSH, Serial
Terminal User AAA Client AAA Server
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 AAA Protocols
• 2 Main Protocols Designed for AAA: • Remote Access Dial-in User Service (RADIUS) • Terminal Access Controller Access-Control System (TACACS)
See if we can make this page more exciting??
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Remote Access Dial-in User Service
• IETF standard for AAA • Most common AAA protocol for Network Access • Why? Because IEEE 802.1X uses RADIUS • 802.1X is used with vast majority of secure Wi-Fi • Note: CAN be used for Device Administration, but not as powerful as TACACS+ for that form of AAA
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 A long time ago in a development lab far, far away…
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Terminal Access Controller Access-Control System
. AAA standard protocol designed for controlling access to UNIX terminals . Cisco enhanced it and created TACACS+ and published as open standard in the early 1990s . Mainly used for Device Administration . Can authenticate once and authorize many times . Perfect for command authorizations . AuthZ results sent for each attempt, not just ONCE with AuthC
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 AuthC Once + AuthZ Many TACACS+
SSH to Network Device START (authentication) – User trying to connect
REPLY (authentication) – request username AuthC CONTINUE (authentication) – username REPLY (authentication) – request password
CONTINUE (authentication) – password Authentication is Complete REPLY (authentication) – Pass
REQUEST (authorization) – service = shell EXEC is Shell Authorized RESPONSE (authorization) – PASS_ADD AuthZ REQUEST (accounting) – START / RESPONSE - SUCCESS
# show run REQUEST (authorization) – service = command Command Command is RESPONSE (authorization) – Pass_ADD AuthZ Authorized REQUEST (accounting) – CONTINUE / RESPONSE - SUCCESS
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Agenda
• Introduction
• Device Administration AAA in ISE 2.x • Components (Policy Elements, Policy Sets) • Design Principles • Network Devices
• Configuring ISE for Device Administration
• The Proof is in the Puddin’
• Migrating from ACS to ISE
• Final Conclusions Device Administration AAA in ISE TACACS+ is in ISE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 So where do we begin?...
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Introducing The ISE Device Administration Work Center
Order of Operations: Left to Right on the Menu Bar
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Overview: T+ Live Log
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Overview: Deployment (ISE 2.2+)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 ISE Deployment Node Configuration OLD WAY
• Policy Service Node for Protocol Processing • Session Services (e.g. Network Access/RADIUS) On by default • Device Admin Service (e.g. TACACS+) MUST BE ENABLED FOR DEVICE ADMINISTRATION!!
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Identities
Internal Users
Separate Enable Random Secure Password Passwords Can be defined if User is to be allowed privileged access after login
May Leverage AD For Passwords Internal Users – External Password Management
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Identities
Internal Users
• Reality of Internal Identities: • Allows ISE Admin to Control Group Membership • Can Leverage External DB for Password Management • Provides a 2nd Level of Authentication if • In my Experience, Not used too Often Anymore • Everyone just leverages their AD / LDAP single-source-of-truth • Saves the double maintenance and duplication of effort
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Identities
External IDs More Commonly Used
Same List of Sources as Network Access Can be defined if User is to be allowed privileged access after login
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Identities
External IDs More Commonly Used
• Reality of External Identities: • Way more common in today’s enterprise • Identity Source Sequences can be Used • Active Directory Connector is VERY powerful • Can Query over 2,000 AD Domains • Multi-Forest Support (up to 50 Join Points) • See BRKSEC-2132 @ CiscoLive.com for more on Active Directory • One Time Password (OTP) Servers • 2-factor Authentication for very Secure Environments
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 For More on Identities
• BRKSEC-2059 – Deploying ISE in a Dynamic Public Environment
• BRKSEC-3699 – Designing ISE for Scale & High Availability
• Online Recorded Sessions: • BRKSEC-2132 – What’s new in ISE Active Directory Connector • BRKSEC-2695 - Building Enterprise Access Control Architecture using ISE & TrustSec
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 NADs
Network Device Groups (NDG) Build a Detailed Hierarchy to make Policy Sets and Rule Creation More Powerful
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 NADs
Network Devices TACACS+ Shared Secret Single Connect Mode Retire the Secret
Retire Secret Accept Old and New Secret for Configured Time Period
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Results
Policy Elements Authorization Results
TACACS Profiles AKA: Shell Profiles Different Types Assigned Level
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Results
Policy Elements Authorization Results
Command Sets Lists of Commands to Permit / Deny
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 We Will Dive into These Elements more in the Config Section
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Policy Sets
Policy Set Ordered List Provides both Management AND Execution order
Policy Set Condition For Policy Set How Policy Set is engaged
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Policy Sets
Policy Set Summary View Provides Overview of Execution Conditions
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 ISE Authentication Processing
Are you who you say you are?
Authentication Determine Evaluate Policy Set Select Identity Policy Authentication Validate Enable Selection Store Evaluation protocols Credentials Authorization
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Authentication in the Policy Set
Authentication Policy Area
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Policy Set Authentication Results
Identity Source
Allowed Protocols
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 ISE Authorization Processing
Evaluation Policy Set Authorization (Command Set Identity Selection Selection Policy Evaluation or Profile) Reply
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Device Administration Authorization in ISE
Authorization Policy Area
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 Best Practices for Policy Sets Organization
• Optimal Size Mix for Policy Set breakdown in ISE 2.0: • 6-10 Policy Sets • 60-100 rules
• Divide Complete Policy into robust Silos representing Use Cases • e.g. • By Device Type • By Region
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Example Policy
Helpdesk Superuser Admin Superuser
US EMEA
Device\Identity US Helpdesk EMEA Helpdesk US Superuser EMEA Superuser
Device: US Helpdesk Superuser Helpdesk
Device:EMEA Helpdesk Helpdesk Superuser
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Design Principles See BRKSEC-3699 – Designing ISE for Scale & High Availability Deployment Considerations
• Should we dedicate an ISE Policy Service Node (PSN) to TACACS+?
• How many PSNs should we dedicate to TACACS+
• Should we dedicate a deployment to TACACS+? • i.e. separate PAN + MnT
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Options for Deploying Device Admin Priorities Separate Deployment Separate PSN Mode Mixed PSN Mode - According to policy
TACACS RADIUS RADIUS TACACS RADIUS/TACACS Separation of Yes: Specialization for TACACS+ ✔ Configuration No: Avoid Duplication of Shared ✔ ✔ Items Avoid cost of duplicate PAN/PSN Separation of Yes: Optimize Log Retention VM ✔ Logging Store No: Centralized Monitoring ✔ ✔ Independent Yes: Scale as Needed ✔ ✔ Scaling of Avoid NAC/Device Admin Load Services No: Avoid underutilized PSNs ✔
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Large Deployments: Separate Cubes
ISE Cube 1 ISE Cube 2
MNT MNT PAN PAN PSN PSN VIP1 VIP2
Network Device
Terminal User Network User
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Medium Deployments: Separate Cubes
Single ISE Cube
PAN MNT PSN PSN VIP1 VIP2
Network Device
Terminal User Network User
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Small Deployments: Separate Cubes
Single ISE Cube
PSN PSN PAN MNT VIP1 VIP2
Network Device
Terminal User Network User
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Why does Aaron Prefer Separate Cubes?
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Logging Capacity
• In Large scale appliance (3595), 320GB allocated to TACACS+ logs
• Capacity requirements variable… Assuming: • 4K log for Authentication/Session, 3K log for Command Author/Session • Each admin has 40 Sessions/day, with 25 commands per session…
Admins\Disk Size 320 GB 1024 GB 2048 GB 20 1062 3398 6796 50 425 1360 2719 250 85 272 544
Example Calculation of Days Capacity See BRKSEC-3699
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 The Network Devices Network Devices do AAA Differently
• Cisco IOS – The Ultimate in Flexibility • 16 Privilege Levels (0-15) • User Authorized to a level of privilege, can execute all commands at that level • Authorization into the Shell • Authorization per-command
• Cisco WLC – Nice and Easy • Assigns a “role” to a User • Role = Which Menus they get Write Access to.
• Cisco Nexus – Blended • Users Authorized to a Role • Role = List of Features and Commands Available to User
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Cisco IOS FFoor rY Yoouru r Referenncece The AAA Method List Authentication, Authorization or Accounting
Will affect all things that use the aaa type if you don’t specify otherwise
Creates a Custom Method List: Name Should Mean Something to You
Methods in Order: [group radius | group tacacs | local-case | local | enable | none]
aaa type { default | list-name } method-1 [method-2 method-3 method-4 ]
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 Configuring IOS for TACACS+ authentication
• Device configuration for TACACS+ is vendor/product specific
• Example for IOS
Required for TACACS+ aaa aaa new-model
tacacs server ISE-PRIMARY address ipv4 10.56.122.51 TACACS+ server definition key th3k3yu5ed
aaa group server tacacs+ ISE-GROUP server name ISE-PRIMARY Authentication control aaa authentication login VTY group ISE-GROUP local aaa authentication enable default group ISE-GROUP enable
line vty 0 4 login authentication VTY
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 Configuring IOS for TACACS+ authorization
• Device configuration for TACACS+ is vendor/product specific
• Example for IOS
Enable Session Authorization aaa authorization exec VTY group ise-group local aaa authorization config-commands aaa authorization commands 0 VTY group ISE-GROUP local Enable Command Authorization aaa authorization commands 1 VTY group ISE-GROUP local aaa authorization commands 15 VTY group ISE-GROUP local
line vty 0 4 authorization exec VTY authorization commands 0 VTY authorization commands 1 VTY authorization commands 15 VTY
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Configuring IOS for TACACS+ accounting
• Device configuration for TACACS+ is vendor/product specific
• Example for IOS
aaa accounting exec default start-stop group ISE-GROUP aaa accounting commands 1 default start-stop group ISE-GROUP aaa accounting commands 15 default start-stop group ISE-GROUP
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Cisco WLC Configuring WLC for TACACS+ AAA
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 Configuring WLC for TACACS+ AAA
T+ First
Fallback to Local – if T+ non-responsive
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Configuring ISE The User Account & Group Types
Users Groups Description NetAdmin1 Network Administrators – Get full Access to NetAdmin NetAdmin2 Everything Possible NetOps1 Network Operators – Access, but Limited to what NetOps NetOps2 Changes can be Made SecAdmin1 Security Administrators – Read-only to absolutely SecAdmin SecAdmin2 everything, including configurations. Helpdesk Personell – Read-only to all show Helpdesk1 Helpdesk commands, not including show-run. No changes Helpdesk2 permitted at all. Employee1 Employees Any other Employee – No access to Shell or UI. Employee2
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Cisco IOS Device Admin Results TACACS Profile – NetAdmin (IOS)
Task Type Specific for the Device Is a nice UI feature, to provide specific UI per device type
IOS Privilege Level Default = Assigned at Login Max = Limit with “enable” command
Idle Time For High-Powered Access, Limit the session time when no activity
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 TACACS Profile – NetOps (IOS)
IOS Privilege Level Default = Assigned at Login Max = Limit with “enable” command Allows privilege escalation when necessary
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 TACACS Profile – SecAdmin (IOS)
IOS Privilege Level SecAdmin will be limited by Command Set instead of Privilege
Timer (absolute time) Because you want to mess with them.
Idle Time For High-Powered Access, Limit the session time when no activity
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 TACACS Profile – Helpdesk (IOS)
IOS Privilege Level Will get all Priv1 commands, and any specially moved to Priv2 only.
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 Command Set – NetAdmin (IOS)
Permit all Commands Since nothing below, all commands will be permitted.
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 Command Set – NetOps (IOS)
Permit all Commands Anything not Listed Below will be allowed
DENY_ALWAYS Shutdown and Reload will never be permitted, even when stacking permissions.
If DENY instead of DENY_ALWAYS, then Permit wins in a Stack
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Command Set – SecAdmin (IOS)
Permit all Commands Anything besides configure will be permitted
DENY_ALWAYS Configure will never be allowed for Security Admins. All other commands will work.
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93 Command Set – Helpdesk (IOS)
Deny All Commands Except what is below
PERMIT Allow all show commands for the privilege level.
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 Cisco WLC Device Admin Results TACACS Profiles for the WLC
• No command sets for WLC. It is role based, with its Menus.
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96 TACACS Profile – NetAdmin (WLC)
All Menus Full Access to the WLC
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 TACACS Profile – SecAdmin (WLC)
WLAN & Security Read/Write to WLAN Read/Write to Security Read-Only to everything else
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 TACACS Profile – Helpdesk (WLC)
Monitor Read-Only to Entire UI
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 TACACS Profile – Employees (WLC)
Lobby Special role that does not give access to WLC UI. Only to a Guest Management UI
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 Proof is in the Puddin’ Login to an IOS Device
Username:secadmin1 Username:netops1 Password: Password:
3750-X# show privilege 3750-X# show priv Current privilege level is 15 Current privilege level is 7 3750-X# conf t 3750-X# show run ^ Building configuration... % Invalid input detected at '^' marker.
This is how: 3750-X#show run | i priv privilege configure all level 6 interface privilege configure level 6 authentication privilege exec level 7 show running-config
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104 Device Admin Live Log
Command AuthZ
Exec AuthZ Authentication
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 TACACS+ Command Accounting
• ISE Accounting Report records all commands
• Purpose is to audit and fault find device configuration • Comprehensive and flexible searching for commands: who, what, when, where
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 TACACS+ AAA Authentication Reporting
• ISE Authentication Reporting records all passed and failed authentication attempts
• Purpose is to audit and fault find device – ISE interactions
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 Login to a WLC Device
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 Backup Slides: Device Admin Migration from ACS Comparing ISE to ACS 5
• Core TACACS+ Protocol engine is shared with ACS 5
• However: ISE is not ACS… • Different management system (RBAC, GUI etc) • Different policy system and GUI • Different internal identity store
• “Parity” can be subtle…
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 Example Parity Issue: ACS 4 vs 5 custom Attributes
ACS 4: ACS 5:
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129 Example Parity Issue: ACS 4 vs 5 custom Attributes
ACS 4: ACS 5:
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130 Using the Migration tool
Migrate to Correct Download the tool Enable migration If you are migrating to version of ACS from ISE interface in ISE with configuration: Backup ISE ACS/ISE •ACS 5.5 or ACS 5.6 •Link Provided in •ACS: acs config- •Save Certificates •Back up ISE Device web-interface (Export including Administration work migration enable Private Keys) center •ISE: application •Back up ISE configure ise / Configuration option 11 •Back up System Logs •Obtain AD credentials to rejoin if needed.
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132 Using the Migration tool
Run Export Issues Found: Update ACS Report
Run Export
Run Import Issues Found: Update ACS Report
Run Import
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 133 ACS 5 to ISE Migration: Identity
• Internal Users Issues • Parity Gap • Password Type • Password Change Next Login + Lifetime • Naming Constraints: More illegal chars in ISE
• External Identity Stores • Migrate cleanly (As always, check names)
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134 ACS 5 to ISE Migration: Network Devices/NDGs
• Network Device migration caveats for ISE 2.0: • IP Ranges not supported in ISE • Exclusions supported by “overlapping IPs” • IPV4 only • Default Device must have RADIUS enabled
• Reconciliation flow for Migration Tool • If Device does not exist in ISE (Defined by no overlap of IP configuration) • Then add it • If Device does exist (IP/subnet exactly matches) and (name exactly matches) • Then update details to add TACACS+ elements • If only approximate match. (name matches exactly, or IP/subnet matches exactly, but not both) • Then generate error report
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135 ACS 5 to ISE Migration: Authorization Results
• Command Sets and Shell Profiles migrate well
• Main gotcha: object names • ISE stricter about names • Policy Results namespace shared with Network Access • Recommend using a prefix for Device admin Authorization Results
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136 ACS 5 to ISE Migration: Policy
• ACS 5 Access Service Maps to ISE Policy Set • ACS 5 Access Service separated from Selection Policy • Can have Services that are not engaged • Can have services selected by different Service Selection rules
• ACS 5 Group Map • Group Map intended as transition step from ACS 4 • Group Map content must be migrated to authorization Policy
• Authentication Allowed Protocols • Part of Service configuration in ACS 5 • Policy Result in ISE
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 137 ACS 5 to ISE Migration: TACACS+ Proxy • ACS 5 Proxy Service maps to ISE Policy Set in Proxy Sequence Mode:
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 138 Migration Best Practices
• Follow recommendations from Migration tool Reports
• Rename ACS objects using ISE legal chars
• Move Group Map Policy to Authorization
• Consider ACS 5 to ISE migration as opportunity to review and refresh Policy • Especially if Migrating from ACS 4
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 139 ACS to ISE 2.2 feature comparison ACS vs ISE feature comparison - RADIUS
RADIUS ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
PAP Yes Yes Yes Yes Yes CHAP Yes Yes Yes Yes Yes MS-CHAPv1 and v2 Yes Yes Yes Yes Yes EAP-MD5 Yes Yes Yes Yes Yes EAP-TLS Yes Yes Yes Yes Yes PEAP (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes PEAP (with EAP-GTC inner method) Yes Yes Yes Yes Yes PEAP (with EAP-TLS inner method) Yes Yes Yes Yes Yes EAP-FAST (with EAP-MSCHAPv2 inner method) Yes Yes Yes Yes Yes EAP-FAST (with EAP-GTC inner method) Yes Yes Yes Yes Yes EAP-FAST (with EAP-TLS inner method) Yes Yes Yes Yes Yes EAP Chaining with EAP-FAST No No Yes Yes Yes RADIUS Proxy Yes Yes Yes Yes Yes RADIUS VSAs Yes Yes Yes Yes Yes LEAP Yes Yes Yes Yes Yes
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141 ACS vs ISE feature comparison – TACACS+
TACACS+ ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
TACACS+ per-command authorization and accounting Yes Yes Yes Yes Yes
TACACS+ support in IPv6 networks No Yes No No No
TACACS+ change password Yes Yes Yes Yes Yes
TACACS+ enable handling Yes Yes Yes Yes Yes
TACACS+ custom services Yes Yes Yes Yes Yes
TACACS+ proxy Yes Yes Yes Yes Yes TACACS+ optional attributes Yes Yes Yes Yes Yes TACACS+ additional auth types (CHAP / MSCHAP) Yes Yes Yes Yes Yes TACACS+ attribute substitution for Shell profiles Yes Yes Yes Yes Yes
TACACS+ customizable port Yes Yes No Yes Yes
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142 ACS vs ISE feature comparison – Internal users and Admins
Internal Users / Administrators ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
Users: Password complexity Yes Yes Yes Yes Yes
1 1 1 1 Users: Password aging Yes Yes Yes Yes Yes 1. Warning and disable after defined interval. Grace period is not supported
Users: Password history Yes Yes Yes Yes Yes
Users: Max failed attempts Yes Yes Yes Yes Yes
Users: Disable user after n day of inactivity Yes Yes No Yes Yes
Admin: Password complexity Yes Yes Yes Yes Yes
Admin: Password aging Yes Yes Yes Yes Yes
Admin: Password history Yes Yes Yes Yes Yes
Admin: Max failed attempts Yes Yes Yes Yes Yes
Admin: Password inactivity Yes Yes No Yes Yes
Admin: entitlement report Yes Yes Yes Yes Yes
Admin: session and access restrictions Yes Yes Yes Yes Yes
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 ACS to ISE feature comparison – MAR, Conditions, Logs, Network Devices
Machine Access Restriction, Conditions, Logs, Network devices ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
Machine Access Restrictions
Machine Access Restrictions caching and Distribution 1 1 1. ISE 2.0 supports only MAR cache. ISE 2.1 supports MAR cache between restarts but Yes Yes Yes 1 Yes Yes not distribution
Conditions/Filters
Network Access Restrictions (NARs) Yes Yes No No Yes
Time based permissions Yes Yes Yes Yes Yes
Log Management
Log Viewing and reports Yes Yes Yes Yes Yes
Export logs via SYSLOG Yes Yes Yes Yes Yes
Network Devices
Configure network devices with IP address ranges 1. When migrating from ACS to ISE, the Migration Tool automatically converts IP ranges in Yes Yes No No Partially 1 the last octet of the IP.
Lookup Network Device by IP address 1 1. Can search by IP address but this can’t be used in combination with other fields as Yes Yes Yes Yes Yes search criteria
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2344 144 ACS to ISE feature comparison – Security management, Tools and utilities
PKI / Security Management, Tools and utilities ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
PKI / Security management
Configurable management HTTPS certificate Yes Yes Yes Yes Yes
CRL: Multiple URL definition Yes No No No No
CRL: LDAP based definition Yes No Yes Yes Yes
Online Certificate Status Protocol (OCSP) Yes Yes Yes Yes Yes
Secure Syslogs No Yes Yes Yes Yes
EAP-TLS Certificate lookup in LDAP or AD Yes Yes Yes Yes Yes
Tools and Utilities
Programmatic Interface for network device CRUD operations Yes Yes Yes Yes Yes
Command line / scripting interface (CSUtil) Yes No No No No
API for users, groups and end-point CRUD operations Yes Yes Yes Yes Yes
Import and Export of Command Sets Yes Yes No No No
Users: User change password (UCP) utility Yes Yes No No No
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 145 ACS to ISE feature comparison - Miscellaneous
Miscellaneous ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
Group Mapping 1 Yes Yes No No No 1 1. Workaround: Use authorization conditions in ISE authorization policy
RSA Token caching Yes Yes No No Yes
Adding hosts with Wildcards Yes Yes No No No
Alarm notification on a per-item level N/A Yes No No No
Configurable RADIUS ports Yes No No Yes Yes
Allow Special characters in object name Yes Yes No No Partially 1 1. Migration tool converts automatically any special character unsupported by ISE to "_"
Multiple NIC interfaces N/A Yes Yes Yes Yes
Maximum concurrent sessions per user/group Yes Yes No No Yes 1 1. For internal users
Dial-in Attribute Support Yes Yes No No Yes
RBAC for ISE Admin to allow administrators' rights to access/modify only subset(s) of a Yes No No Yes Yes class of objects
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 146 Non-Supported features
Features that will have no ISE support ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.1 ISE 2.2
Leap Proxy Yes No No No No
Ability to select logging attributes for syslog messages Yes No No No No
Logging to external DB (via ODBC) 1. Data can be exported from M&T for reporting. Not supported as log Yes Yes 1 No No No target that can be defined as critical logger
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 147 Complete Your Online Session Evaluation
• Please complete your Online Session Evaluations after each session • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Don’t forget: Cisco Live sessions will be available Communication Stations for viewing on-demand after the event at CiscoLive.com/Online
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 148 Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-2344 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 149 Q & A Thank You