#CLUS Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD
Ali H. Ali Technical Marketing Engineer CCIE – 44526 (Wireless) BRKEWN-2005
#CLUS Session Objectives What this session will cover… …and what it won’t…
• AP and WLC secure • configuration details; connection; • version discrepancies; • wireless radio threats; • roadmap; • secure/open SSID • IPv6; BRKEWN-2010 fundamentals; BRKIP6-2191 • not too much for guests. • client secure connection options; BRKEWN-2014
• use cases; …except when it does.
• mainly CUWN and AireOS.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 BRKEWN-2670 Disclaimer New kids on the block • Catalyst 9800 Wireless Controllers based on IOS-XE.
• Support for (almost) the same security features as for AireOS based Wireless LAN Controllers (i.e., Mobility Express, vWLC, 3504, 5520, 8540).
• Dedicated references will be provided in case of specific configuration examples.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 For your For your reference reference
• There are slides in your PDF that will not be presented, or quickly presented.
• They are valuable, but included only “For your reference”.
For your reference
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Cisco Webex Teams
Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKEWN-2005 by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 We do everything by the book…
Not that much left on TV anyway…
http://www.ciscopress.com/store/ccie-wireless-v3-study-guide-9781587206207
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 For your Session Abstract reference
• Learn how to design a secure wireless networks from A to Z.
• In this session we will cover some of the major threats associated with wireless networks and the tools we have to mitigate and prevent them, such as rogue AP detection, wIPS and spectrum intelligence.
• We will also take a look at the principles of secured wireless networks (encryption, 802.1X, guest access, etc.) and will dive into the latest identity services available to address different kinds of devices (laptops, tablets, smartphones, etc.) and users (employees, guests, contractors, etc.).
• Prerequisites: knowledge of 802.11 and 802.1X fundamentals is recommended.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Agenda
• Secure the infrastructure
• Over the Air Security
• Secure the clients
• Use cases
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Secure the infrastructure Securing the infrastructure
• How to secure the AP connectivity and access. Access Point Wireless LAN Controller (AP) Data Encapsulation – UDP 5247 (WLC) Control Messages – UDP 5246 • How to secure the CAPWAP communication between the WLC and the AP.
• How to secure the radio:
• Intrusion detection/prevention;
• Rogue access points;
• Interferences.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 For your WLC connectivity and access reference
WLC
HTTP / HTTPS / telnet / SSH
Control requests from wireless clients or wired clients on the same subnet as a dynamic interface: (Cisco Controller) >config network mgmt-via-wireless enable
(Cisco Controller) >config network mgmt-via-dynamic-interface enable *
* Available via CLI only and needed when sourcing RADIUS traffic from a dynamic interface instead of the management one.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 For your WLC connectivity and access reference
WLC
HTTP / HTTPS / telnet / SSH
Control requests from specific networks/clients through CPU ACLs: http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109669-secure-wlc.html#t4 Logical example (not a real configuration one): • deny tcp [other client subnets] [WLC mgmt IP] eq 443 • deny tcp [other client subnets] [WLC mgmt IP] eq 22 • permit ip any any (otherwise you may lock lot of things out!!!)
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 For your reference WLC management authentication / authorization AireOS Local DB: read-only read-write WLC
* Tasks are the WLC’s menu tabs. Fail / Success RADIUS + Even when tasks are not explicitly authorized, users have RO access to them. privileges (RO / RW) RO access to a task grants RO access to all the sub-menus. RW access to a task grants RW access to all the sub-menus.
Fail / Success + tasks access * Config. examples: TACACS http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71989-manage-wlc-users-radius.html http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/91631-uwn-tacacs-config.html
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 For your reference C9800 management authentication / authorization IOS-XE Local DB: • GUI: read-only / read-write C9800 • CLI: privilege 0-15
RADIUS RO access to the GUI grants access to the Dashboard and Monitoring menus. Fail / Success + RW access to the GUI grants RW access to all menus. Privileges (CLI)
Fail / Success + Command AuthZ (CLI) TACACS
Read-Only Read-Write
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 For your AP management access reference
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 AP control at the access layer A few words on 802.1X
Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL)
EAPoL Start Beginning EAPoL Request Identity
EAP-Response Identity: Printer RADIUS Access Request [AVP: EAP-Response: Printer]
EAP-Request: EAP-FAST RADIUS Access-Challenge Middle [AVP: EAP-Request EAP-FAST] Multiple EAP-Response: EAP-FAST Challenge- RADIUS Access Request Request [AVP: EAP-Response: EAP-FAST] Exchanges Possible RADIUS Access-Accept EAP Success End [AVP: EAP Success] [AVP: VLAN 10, dACL-n]
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 AP control at the access layer 802.1X credentials for the AP * Access Point (AP)
Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL)
AP# capwap ap dot1x username [USER] password [PWD]
* AireOS 8.6 for 802.11ac Wave 2 APs (EAP-FAST MS-CHAPv2 as for other AP series)
AireOS 8.7+ for EAP-TLS or PEAP MS-CHAPv2 support (802.11ac Wave 2 APs and later)
AireOS
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 AP control at the access layer 802.1X credentials for the AP * Access Point (AP)
Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL)
AP# capwap ap dot1x username [USER] password [PWD]
* AireOS 8.6 for 802.11ac Wave 2 APs (EAP-FAST MS-CHAPv2 as for other AP series)
AireOS 8.7+ for EAP-TLS or PEAP MS-CHAPv2 support (802.11ac Wave 2 APs and later)
IOS-XE
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 AP control at the access layer The FlexConnect challenge
Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL)
FlexConnect AP 802.1X (usually) “needs” a trunk port. needs an access port.
interface GigabitEthernet1/0/1 switchport access vlan 100 switchport mode access authentication port-control auto dot1x pae authenticator ...
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 AP control at the access layer The FlexConnect challenge
Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL)
“What do you think?” “Here I am.”
“Accept. Here is the interface template *” cisco-av-pair=interface-template-name=FLEXCONNECT_AP_TRUNK_TEMPLATE
template FLEXCONNECT_AP_TRUNK_TEMPLATE switchport trunk native vlan 100 switchport trunk allowed vlan 100,110,120,130 switchport mode trunk * IOS 15.2(2)E+ spanning-tree portfast trunk
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 BRKEWN-2010 Securing the AP-WLC communication BRKEWN-2670 CAPWAP tunnels DTLS, UDP 5246 CAPWAP Control
CAPWAP Data (DTLS) UDP 5247
config ap link-encryption enable all/[AP-NAME] AireOS
IOS-XE
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Securing the AP-WLC communication Manufacturer Installed Certificate (MIC)
DTLS, UDP 5246 CAPWAP Control CAPWAP Data (DTLS) UDP 5247
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Securing the AP-WLC communication Local Significant Certificate (LSC) - AireOS
Your PKI
CAPWAP
Example: http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Secure Isolation with Guest Anchor
Guest Tunnel Firewall Enterprise Users CAPWAP Internet
Wireless LAN Controller
DMZ or Anchor Wireless Guests LAN Controller
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Securing the AP-WLC communication Local Significant Certificate (LSC) – IOS-XE
ap lsc-provision ! In Non-WLANCC mode APs will be provisioning with RSA certificates with specified key-size configuration. In WLANCC mode APs ! will be provisioning with EC certificates with a 384 bit key by-default or 256 bit key if configured. ! Are you sure you want to continue? (y/n): y
! POINT OF NO RETURN: APs will request LSCs and reboot configured to use those LSCs
wireless management trustpoint LSC_TRUSTPOINT
! To revert back to MIC no ap lsc-provision no ap lsc-provision join-attempt 0 no ap lsc-provision key-size 2048 no ap lsc-provision subject-name-parameter country FR state IdF city Paris domain Sales org Lab email-address [email protected] no ap lsc-provision trustpoint LSC_TRUSTPOINT wireless management trustpoint ewlc-default-tp
For Microsoft CA and MSCEP setup, please still refer to: http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Securing the AP-WLC communication Local Significant Certificate (LSC) – IOS-XE
conf t crypto key generate rsa general-keys exportable modulus 2048 label LSC_RSA_KEY crypto pki trustpoint LSC_TRUSTPOINT enrollment url http://10.150.20.101/certsrv/mscep/mscep.dll subject-name C=FR,ST=IdF,L=Paris,O=Lab,CN=C9800-CL-A/[email protected] rsakeypair LSC_RSA_KEY revocation-check none exit crypto pki authenticate LSC_TRUSTPOINT “You told me it was simple!!!” ! % Do you accept this certificate? [yes/no]: yes
crypto pki enroll LSC_TRUSTPOINT ! Password: ! Re-enter password: ! % Include the router serial number in the subject name? [yes/no]: yes ! % Include an IP address in the subject name? [no]: no ! Request certificate from CA? [yes/no]: yes
ap lsc-provision join-attempt 0 ap lsc-provision key-size 2048 ap lsc-provision subject-name-parameter country FR state IdF city Paris domain Sales org Lab email-address [email protected] ap lsc-provision trustpoint LSC_TRUSTPOINT
For Microsoft CA and MSCEP setup, please still refer to: http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Securing the AP-WLC communication AireOS: Default AP Group and WLAN Id > 16
Default AP Group > WLAN Id 1-16
Cisco Live AP Group > WLAN Id 17+
Cisco Live AP Group
Default
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 For your Securing the AP-WLC communication reference AireOS: Out-of-Box AP Group and RF Profile (v7.3+)
Out-of- Out-of-Box AP Group > Radios Disabled Box Cisco Live AP Group > Radios Enabled
Out-of-Box Cisco Live OutAP- Groupof-Box Out-of-Box
Example: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/radio_resource_management.html#ID2870
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 For your APIC-EM Plug-n-Play (PnP) reference AireOS 8.2+
WLC
AP SN #123 > Config. File (WLC IP, Cisco Live AP Group, etc.) APIC-EM AP SN #456 > Not in any Project list > Claim list
APIC-EM IP in DHCP option 43 or DNS resolution for pnpserver.
AP (SN #123) AP Cisco Live (SN #456) AP Group AP PnP Deployment Guide: http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 BRKEWN-2670 Securing the AP-WLC communication IOS-XE: Default Policy Tag and WLAN Id > 16
default-policy-tag > WLAN Id 1-16
Cisco-Live-Policy-Tag > WLAN Id 17+
Cisco-Live-Policy-Tag
Default
• Policy Tag assigned to an AP defines which WLANs are served by that AP • Policy Tag also ties a WLAN to a Policy Profile • Policy Profile defines traffic behavior for a WLAN (e.g., switching mode, VLAN, anchor, QoS, ACL, etc.) #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 For your APIC-EM Plug-n-Play (PnP) reference AireOS 8.2+
WLC
AP SN #123 > Config. File (WLC IP, Cisco Live AP Group, etc.) APIC-EM AP SN #456 > Not in any Project list > Claim list
APIC-EM IP in DHCP option 43 or DNS resolution for pnpserver.
AP (SN #123) AP Cisco Live (SN #456) AP Group AP PnP Deployment Guide: http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_APIC-EM-PNP-deployment-guide.html
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Wireless connection workflow
Endpoint Access Point Wireless LAN Controller (AP) Data Encapsulation – UDP 5247 (WLC) 802.11 Control Messages – UDP 5246 CAPWAP
Probe Request Probe Request (forwarded) Probe Response
Authentication Request (not for 802.1X, but in case of PSK) Authentication Response IDS/aWIPS (Re) Association Request (Re) Association Response focus
802.1X phase if enabled
EAPoL Keys exchange in case of PSK or 802.1X Other identity services
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Over the Air Security Intrusion Detection System (IDS) AireOS
• It works with basic WLC+AP. • 17 pre-canned signatures. • Additional custom signatures are supported.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Intrusion Detection System (IDS) Custom Signatures – AireOS Name = "EAPOL flood", Ver = 0, Preced= 12, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 30:0x888E:0xFFFF, Freq=50, Quiet = 300, Action = report, Desc="EAPOL Flood Attack"
N. of Frames per Interval Frame Type Offset from the (if not configured, 1 sec. Beginning of by default) the Frame Period of Time (in secs) during which the pattern must not occur, for the alarm to stop
Mask to Apply
Result to Obtain Additional Pattern IDS Signatures Tech Note: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html AireOS 8.5 Configuration Guide: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wireless_intrusion_detection_system.html
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 adaptive Wireless Intrusion Prevention System aWIPS with AireOS Ad-hoc Wireless Bridge Evil Twin/Honeypot AP Reconnaissance HACKER HACKER’S HACKER AP
Client-to-client backdoor access Seeking network vulnerabilities Rogue Access Points Denial of Service Cracking Tools HACKER HACKER
Non-Service802.11 disruption Attacks Sniffing and eavesdropping Detected by CleanAir and tracked by MSE Backdoor access BLUETOOTH AP Service disruption MICROWAVE BLUETOOTH RF-JAMMERS RADAR
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 aWIPS with Mobility Services Engine (MSE) 8.0 AireOS Prime
SOAP/XML over HTTP/HTTPS
MSE WLC WLC
AP AP AP AP
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Supported AP modes for aWIPS AireOS
Data on 2.4 and 5 GHz Data on 2.4 and 5 GHz Data on 5GHz Data on 2.4 and 5 GHz
wIPS on all channels wIPS on all channels wIPS on all channels wIPS on all channels “best effort”
Cisco Adaptive wIPS Deployment Guide: http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43500
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Rogue Detection and Mitigation
Rogue Classification & Containment AP4800 with 3rd Radio Monitor Mode AP • Rogue Rules • Manual Classification – Friendly/Malicious • Manual and Auto Containment Scan Serve Clients 5GHz 5GHz
Serve Client Rogue Location 5 GHz Scan • Real-time with PI, MSE, CleanAir • Location of Rogue APs and Clients , Ad-hoc Rogue, Non-wifi interferers FRA with MM
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 BRKEWN-2005 aWIPS could be like subscribing for a shark insurance…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 For your IDS and aWIPS Signatures reference AireOS IDS on WLC wIPS on MSE
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 For your aWIPS Forensics reference AireOS
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 For your IDS vs. aWIPS ELM vs. aWIPS Monitor reference
AireOS IDS wIPS wIPS ELM Monitor Client Servicing Yes Yes No
Rogue Detection Yes Yes Yes and Containment
Attack Detection 17 39 45 MSE needed No Yes Yes Prime needed No Yes Yes
Attack No Yes Yes Encyclopedia in Alerts Forensics No Yes Yes Event Correlation No Yes Yes
FlexConnect Yes Yes N/A Support
Comparison of attacks detected by IDS and by wIPS: http://www.cisco.com/c/en/us/td/docs/wireless/mse/8-0/MSE_wIPS/MSE_wIPS_8_0/MSE_wIPS_7_6_chapter_01010.html#concept_EF3A934E00C64036B7438C5A634296F1
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 For your Attacks not Supported in aWIPS ELM reference AireOS Examples:
Alarm Number Alarm Name 95 CTS_FLOOD 112 VIRTUAL_CARRIER 115 QUEENLAND 157 RTS_FLOOD 102 AIRSNARF_ATTACK 113 FAKE_DHCP_SERVER
Full list: http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113027-wips-00.html#attacks
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 For your IPS with ISE reference
WLC BRKSEC-3300 RADIUS CoA ISE
FirePOWER syslog
pxGrid
FireSIGHT Design and deployment guides: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200240-ISE-and-FirePower-integration-remediat.html https://communities.cisco.com/servlet/JiveServlet/downloadBody/68293-102-1-125511/How-To_pxGrid_SourceFire.pdf
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Rogue Access Points What are they?
• A rogue AP is an AP that does not belong to our deployment.
“I don’t know it.” “Me neither.”
• We might need to care (malicious/on network) or not (friendly).
• Sometimes we can disable them, sometimes we can mitigate them.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Rogue AP Detection Rogue Rules in the WLC and General Options – AireOS
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Rogue AP Detection Rogue Rules in IOS-XE
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Rogue AP Detection Rogue Rules in IOS-XE
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Rogue AP Detection Rogue Rules in IOS-XE
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Rogue AP Detection Rogue Location Discovery Protocol (RLDP)
RLDP message (UDP:6352) Caveats:
• it only works if the rogue SSID is open;
• it does not work if the RLDP message gets filtered;
• while trying to associate to the rogue AP, the RLDP AP stops serving clients (up to 30 secs);
• deprecated for 802.11ac Wave 2 APs;
• supported on IOS-XE too, for 802.11ac Wave 1 APs.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 For your Rogue AP Detection reference Rogue Detector mode Rogue Detector AP
Trunk with all monitored VLANs (WLC, AP, client, etc.)
Caveats:
• it only works if the rogue client’s MAC is not behind ARP from Rogue Client NAT;
• it supports up to 500 rogue MACs;
• deprecated for 802.11ac Wave 2 APs and IOS-XE.
Config. guide: http://www.cisco.com/c/en/us/td/docs/wireless/technology/roguedetection_deploy/Rogue_Detection.html
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 For your Rogue AP Detection reference Switch Port Tracing
CAM Table (next hop)
CDP Neighbors CAM Table
Prime
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 CleanAir
6
11 RRM 1
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 CleanAir
6
11 RRM 1 11 6 1
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 CleanAir
6
116 RRM 1 11X 6 1
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Event Driven RRM (EDRRM) AireOS
High: Air Quality ≤ 60 Medium: Air Quality ≤ 50 Low: Air Quality ≤ 35
Rogue AP’s duty cycle contribution, available as of AireOS 8.1.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Event Driven RRM (EDRRM) IOS-XE
High: Air Quality ≤ 60 Medium: Air Quality ≤ 50 Low: Air Quality ≤ 35
Rogue AP’s duty cycle contribution.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 BRKEWN-3010 CleanAir detectable Attacks Some examples
IP and Application WiFi Protocol RF Signaling Attacks & Exploits Attacks & Exploits Attacks & Exploits Traditional IDS/IPS wIPS CleanAir Layer 3-7 Layer 2 Layer 1 Dedicated to L1 Exploits
Rogue Threats “undetectable” rogues
5 Wi-Fi 2.4 GHz GHz Jammers “classic” interferers
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 For your Management Frame Protection (MFP) reference AireOS
• Infrastructure MFP, with additional Message Integrity Check (MIC) for management frames.
• Client MFP, with encryption of management frames for associated/authenticated clients. MFP Protected Enterprise CCXv5 Network MFP Protected
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 For your IEEE 802.11w reference Protected Management Frames (PMF) • Client protection with additional cryptography for de-authentication and disassociation frames.
• Infrastructure protection with Security Association (SA) tear down mechanism.
802.11w Protected Enterprise Network
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 For your IEEE 802.11w reference What we get • Client protection is added by the AP adding cryptographic protection to Deauthentication and Disassociation frames preventing them from being spoofed in a DOS attack.
• Infrastructure protection is added by adding a Security Association (SA) teardown protection mechanism consisting of an Association Comeback Time and a SA- Query procedure preventing spoofed Association or Authentication request from disconnecting an already connected client.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 For your reference Security Association (SA) Teardown Protection
• Wireless network behavior prior to 802.11w: • If an AP received either an Association or Authentication request from an already associated client • The AP would terminate the existing connection and then start a new connection
• This allowed for an effective DOS attack on the network; SA teardown protection prevents this type of attack
• When using 802.11w, if the STA is associated (with valid SA and MFP negotiated) and the AP receives either an Association or an Authentication request for this STA • The AP will reject the Association Request returning status code 30 "Association request rejected temporarily; Try again later” to the client • Included in the Association Response is an Association Comeback Time information element specifying a comeback time when the AP would be ready to accept an association with this STA
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 For your SA Query reference
• 802.11w adds a new SA Query Action to check the STA is a real STA not a rogue client during Association Comeback Time • Time interval identified in the Association response to an already associated client before the association can be tried again
• Once the Association Request is rejected with Status Code 30, the SA Query Request Action frame is sent from the AP to the STA and the STA will respond with a SA Query Response Action Frame or vice-versa.
• For SA Query three different scenarios are considered • If a valid SA Query Response is not received within the SA Query timeout, then tear down the client (send a disassociation) and consider a new association request like a fresh association request • If a valid SA Query Response is received within the SA Query timeout, then
• Do not send a new SA Query until the SA Query process starts again • If we get a new association request before the SA Query timeout expires, then drop that Association Request • If we get an association request after the Association Comeback Time, then we can refuse that association request again with Status code 30 and start a new SA Query.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 For your IEEE 802.11w reference Official support in AireOS and IOS-XE • As of WLC 7.4 the 802.11w standard is supported on all 802.11n capable APs and beyond • Except those configured for FlexConnect operation, which is not supported • The AP1130 and AP1240 are not 11n capable and are also not supported
• The 802.11w standard is supported on the 3504, 5520, 8540 and C9800 Wireless Controller platforms
• The 7500 and vWLC will not support 11w as they are designed to support FlexConnect AP’s only and FlexConnect is not supported
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 For your Some words on KRACK (Key Reinstallation reference Attacks)
• “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” https://papers.mathyvanhoef.com/ccs2017.pdf
• 10 vulnerabilities.
• Only 1 vulnerability affecting the station (i.e., the AP), and only for 802.11r.
• 9 vulnerabilities affecting clients, but not all OSes are all vulnerable at the same level (e.g., Win 7 and 10 are vulnerable to less attacks than wpa_supplicant).
• Cisco’s official communication: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa- 20171016-wpa (vulnerabilities referenced as CVE-2017-13077 to 82, CVE-2017-13084 and CVE-2017-13086 to 88)
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 KRACK: example of forcing a nonce reuse For your reference
EAPoL M1 (r, ANonce) Derive PTK
EAPoL M2 (r, SNonce) Derive PTK EAPoL M3 (r+1, GTK)
Install PTK & GTK EAPoL M4 (r+1)
Enc PN [Data(...)]
EAPoL M3 (r+2, GTK)
PN+1 Re-install PTK & GTK Enc [EAPoL M4 (r+2)] Enc PN+1 [EAPoL M4 (r+2)]
EAPoL M4 (r+1) Install PTK Enc PN [Data(...)] PN = Packet Number for CCM (a.k.a. “nonce” in the research paper)
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 For your reference Protection and mitigation options against KRACK
• To fix the one vulnerability affecting the APs (Cisco’s ref. CVE- 2017-13082), you could either disable 802.11r or apply an AireOS version integrating the fix: • 8.0.152.0+ • 8.2.166.0+ • 8.3.133.0+ • 8.5.105.0 (or any other higher version/train)
• Note: any wireless station/AP using 802.11r is affected by this vulnerability, unless fixed by the vendor.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 For your reference Protection and mitigation options against KRACK
• To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017- 13077 to 81):
Up until• Configure AireOS 7.6, it’s EAPoL a global messages command: Asretries of AireOS to7.6, exclude this is supported retransmissions. on a per WLAN basis: config advanced eap eapol-key-retries 0 config wlan disable
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 For your reference Protection and mitigation options against KRACK
• To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017-13077 to 81):
• Configure EAPoL messages retries to exclude retransmissions.
• Configure rogue AP detection rules.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 For your reference Protection and mitigation options against KRACK
• To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017-13077 to 81):
• Configure EAPoL messages retries to exclude retransmissions.
• Configure rogue AP detection rules.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 For your reference Protection and mitigation options against KRACK
• To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017-13077 to 81):
• Configure EAPoL messages retries to exclude retransmissions.
• Configure rogue AP detection rules.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 For your reference Protection and mitigation options against KRACK
• To mitigate 5 of the client’s vulnerabilities (Cisco’s ref. CVE-2017- 13077 to 81):
• Configure EAPoL messages retries to exclude retransmissions.
• Configure rogue AP detection rules.
Example of SNMP trap message from the WLC: ... Impersonation of AP with Base Radio MAC de:ad:be:ef:de:ad using source address of de:ad:be:ef:de:ad has been detected ...
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Wi-Fi Certified Easy Connect
• Another WFA certification, not part of WPA3.
• Mostly targeted for home/IoT networks.
Configuration Profile Enrollee
Configurator Configuration Profile
Enrollee
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Wi- Fi CertifiedCertified EnhancedEnhanced OpenOpen ComingComing upup alongalong withwith WPA3WPA3 • AnotherAnother WFAWFA certification,certification, notnot partpart ofof WPA3.WPA3.
• MostlyMostly targetedtargeted forfor hotspots.hotspots.
• BasedBased onon OOpportunisticpportunistic WirelessWireless EncryptionEncryption (OWE):(OWE): APsAPs andand clientsclients willwill bbee ableable toto automaticallyautomatically negotiatenegotiate encryption.encryption.
• ItIt preventsprevents passivepassive attacksattacks (i.e.,(i.e., traffictraffic visibility).visibility).
#CLUS#CLUSBRKEWN-2005 BRKEWN-2005 © 20192019 CiscoCisco and/orand/or itsits affiliates.affiliates. AllAll rightsrights reserved.reserved. CiscoCisco PublicPublic 7674 Secure the client Choosing the access control method
• 802.1X
• MAC Authentication Bypass (MAB)
• Web Authentication
• What to do next? (posture assessment, MDM, etc.)
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 For your Spectrum of BYOD Strategies reference Different Deployment Requirements for Different Environments
Cisco WLAN Controller ISE Cisco Catalyst Switch
ASA Firewall
Controller only Controller + ISE-Wireless Extended Wireless Only Wireless Only Wired + Wireless + Remote Access AAA+ Advanced Profiling + Device Posture Basic Profiling and Policy AAA + Advanced Profiling + Device Posture + + Client On-board + Guest + Mobile Device on WLC Client On-board + Guest + MDM Management (MDM)
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 802.1X Why 802.1X?
Foundation for Industry standard Most secure Complements Various services like approach to user/device other switch deployment posture, policy identity authentication security features options implementation
How does it work?
Supplicant Authenticator Authentication Server
AP, WLC ISE EAPoL RADIUS
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Client Context and Policies Control and Enforcement
IDENTITY PROFILING ISE 1 HTTP 802.1X EAP NETFLOW Machine/User Authentication SNMP DNS 2 RADIUS Profiling to Policy Company identify device Decision Corporate DHCP asset Resources HQ 4
Access Point Wireless LAN 2:38pm Controller Internet Only Personal 3 5 asset Posture of the device Enforcement 6 Full or partial Unified Access dACL, VLAN, access granted Management SGA
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 Device Policy Steps with Cisco ISE For your reference
EAP Phase 1 Authentication ISE
Device Identification and MAC, DHCP, DNS, HTTP Phase 2 Policy Assignment ISE
Phase 3 Client Supplicant Posture assessment ISE
Internet- Phase 4 Device Policy Enforcement Allowed Only Device? WLC
QoS • Silver Allowed ACL • Allow-All Access VLAN • Employee
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 Wireless connection workflow
Endpoint Access Point Wireless LAN Controller (AP) Data Encapsulation – UDP 5247 (WLC) 802.11 Control Messages – UDP 5246 CAPWAP
Probe Request Probe Request (forwarded) Probe Response Authentication Request (not for 802.1X, but in case of PSK) Authentication Response
(Re) Association Request (Re) Association Response Access 802.1X phase if enabled Control EAPoL Keys exchange in case of PSK or 802.1X focus Other identity services
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Secure or open SSID?
• Secure SSID
• Open SSID Over the Air Security
• A secure SSID cannot fall back to open. • Example: guests not supporting 802.1X cannot fall back to web portal authentication on the same SSID as corporate users.
• Pre-shared keys (PSK) and keys derived from 802.1X are not supported together.
• On both types of SSIDs you can combine multiple identity services if needed. • Examples: guest users going through posture assessment, employees going through MDM, employees going through web portal after device authentication, etc.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Secure SSID – key management and roaming
• Up to 24 WLCs in the Mobility same Mobility Group Group . With PSK there is no need for key management: keys are already statically defined. . Pro-active/Opportunistic Key Caching (PKC/OKC) – Enabled with WPA2. – Available since Windows XP SP2. – Available on Samsung Galaxy S4 (Android 4.2.2). . Cisco Centralized Key Management (CCKM) – Mostly used with 7921/7925/7926/8821 phones. – Available as of Samsung Galaxy S4 (Android 4.2.2). . Sticky Key Caching (SKC) – Available as of Apple iOS 5.0. . 802.11r – Available as of Samsung Galaxy S4 (Android 4.2.2) and Apple iPhone 4S (iOS 6.0). #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 For your Secure SSID – key management methods reference PKC/OKC CCKM 802.11r
WLC WLC Client Client ProbReq CAPWAP(ProbReq) ProbReq CAPWAP(ProbReq) ProbResq ProbResq
802.11 Auth 802.11 Auth Link 802.11 Auth breakage 802.11 Auth
Link breakage AssocReq CAPWAP(AssocReq) AssocReq CAPWAP(AssocReq) AssocResp CAPWAP(AssocResp) AssocResp CAPWAP(AssocResp)
EAPOL-M1 (ANonce) CAPWAP(EAPOL-M1)
EAPOL-M2 (SNonce) CAPWAP(EAPOL-M2)
EAPOL-M3 CAPWAP(EAPOL-M3)
EAPOL-M4 CAPWAP(EAPOL-M4) 802.11 WLAN Roaming and Fast-Secure Roaming: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080c1a517.shtml FlexConnect Feature Matrix for key management support: http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-wlc-00.html#anc9
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 For your Maintaining IP connectivity while roaming reference
Mobility • Up to 72 WLCs in the Domain same Mobility Domain
. Intra Controller Mobility – L2/same subnet: the point of presence (PoP) stays the same (or moves in case of same FlexConnect group). – L3/different subnet: the controller takes care of keeping the same PoP. . Inter Controller Mobility – L2/same subnet: the client database entry is moved to the new controller, the PoP moves to the new controller. – L3/different subnet: the client database entry is copied to the new controller (foreign), the PoP stays on the old controller (anchor).
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 For your IEEE 802.1X reference
Layer 2 Point-to-Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS Auth Server (EAPoL)
EAPoL Start Beginning EAPoL Request Identity
EAP-Response Identity: Alice RADIUS Access Request [AVP: EAP-Response: Alice]
RADIUS Access-Challenge EAP-Request: PEAP Multiple Middle [AVP: EAP-Request PEAP] Challenge- EAP-Response: PEAP Request RADIUS Access Request Exchanges Possible [AVP: EAP-Response: PEAP]
RADIUS Access-Accept EAP Success End [AVP: EAP Success] [AVP: VLAN 10, dACL-n]
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 EAP Authentication Types Different Authentication Options Leveraging Different Credentials Tunnel-Based Certificate-Based
EAP-PEAP Inner Methods EAP-TLS EAP-GTC EAP-MSCHAPv2 EAP-FAST EAP-TLS
• Tunnel-based – Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.
This provides security for the inner method, which may be vulnerable by itself. • Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Identity Pre Shared Key Simple Onboarding of IoT devices
Increased demand for IoT Identity security without 802.1x Simple Operations devices High Scale Cost Effective
Per client PSK for a given SSID
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 iPSK Implementation
Health Monitor
Access to Internet only Key Apo32#1123
Infusion Pumps Key Fty32#9883 Limited access to Data Center with highest AVC priority SSID Healthcare-PSK Key Lab Devices OLg2#663 Isolated into a specific VLAN, restricted by ACL
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 Identity PSK
✓ PSK WLAN
aabbcc ✓ MAC Filtering ✓ AAA Override Corporate Devices
xxyyzz Access Point Wireless LAN Controller ISE Sensors Cisco--AVPairNo PSK+= " attributespsk--mode= ascii”” Cisco--AVPair += "psk=aabbccxxyyzz""
Device MAC Group Private PSK Corporate Devices aabbcc Sensors xxyyzz Employees --- WLAN PSK Employees
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 For your RADIUS Change of Authorization (CoA) reference
• RADIUS protocol is initiated by the network devices (NAD) • No way to change authorization from the ISE Now I can control ports when I want
(config)#aaa server radius dynamic-author to! client {PSN} server-key {RADIUS_KEY}
RADIUS
CoA (UDP:1700/3799)
• Re-authenticate session • Terminate session • Terminate session with port bounce • Now the network device listens to CoA requests from ISE • Disable host port
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93 For your RADIUS Change of Authorization (CoA) reference
Layer 2 Point-to-(Multi)Point Layer 3 Link EAP over LAN RADIUS Supplicant (EAPoL) Authenticator AuthC Server
RADIUS CoA-Request [VSA: subscriber: reauthenticate] Change of
Authorization RADIUS CoA-Ack
EAPoL Request Identity
EAP-Response Identity: Alice RADIUS Access Request [AVP: EAP-Response: Alice] RADIUS Access-Challenge Re-Authentication EAP-Request: PEAP [AVP: EAP-Request PEAP] EAP-Response: PEAP Multiple RADIUS Access Request Challenge- Request [AVP: EAP-Response: PEAP] Exchanges Possible
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 External Resources What are URL-Redirect scenarios? (DHCP, DNS, AV, MDM, etc.)
NAD ISE
1st connection 802.1X / MAC Authentication Guest/BYOD/posture/MDM Traffic identified by the Url-Redirect-Acl Access-Accept portal redirection rule triggers redirection to the Url-Redirect (Url-Redirect + Url-Redirect-Acl)
DHCP, DNS, ISE portal(s) and other resources HTTP(S) traffic identified by the Url-Redirect-Acl triggers redirection to ISE ISE portal for guest, BYOD, posture, Additional actions if needed (guest login, cert download, MDM check, etc.) MDM, etc.
Endpoint’s session updated Change of Authorization (CoA) 2nd connection (if CoA terminate) 802.1X / MAC Authentication Guest/BYOD/posture/MDM Final Access-Accept final (d)ACL/SGT/VLAN/etc.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 For your URL-Redirect-Acl considerations reference AireOS For Cisco AireOS based NADs (e.g., 3504, 5520, 8540 WLCs), traffic denied by the Url-Redirect-Acl triggers redirection to the Url-Redirect. Other traffic permitted by the Url-Redirect-Acl is simply permitted.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96 For your URL-Redirect-Acl considerations reference IOS(-XE) For C9800, traffic permitted by the Url-Redirect-Acl triggers redirection to the Url- Redirect and other traffic denied by the Url-Redirect-Acl is simply permitted.
ip access-list extended ACL_REDIRECT deny udp any eq bootpc any eq bootps deny udp any any eq domain deny ip any host 10.150.20.220 permit ip any any
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 BRKSEC-2059 Cisco Identity Services Engine (ISE) BRKSEC-3432 • Centralized Policy
ACS • RADIUS Server • Posture Assessment NAC Profiler • Guest Access Services • Device Profiling Guest Server • Client Provisioning NAC Identity • MDM Manager Services Engine • Monitoring & Troubleshooting NAC Server • SIEM Integration • Device Admin / TACACS+
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 Authentication and Authorization What are they? It tells who/what the endpoint is.
Network and Endpoints
Policy Elements VLAN/VN
Security Group Tag
Quality of Service
URL Redirect
Bonjour Service Policy
It tells what the Application Control endpoint has access to. #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 Access Control – Authentication Options Identity check
Supplicants
Network Devices (upto 100k) Internal Users(300k) External Identity Stores Enterprise Network AD/LDAP
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 Access Control - Authorization Authorization Options for Access Control
QoS Virtual LAN Security Group Tags Quality of Service TrustSec Software Defined Dynamic VLAN Assignments (Wired+Wireless) Segmentation
Employees Light Bulb VLAN Corp VLAN IoT Contractor Employee Guests Platinum Best Effort VLAN Guest
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101 For your ISE Policy Rules reference
1. Authentication Rules • Define what identity stores to reference. • Example – Active Directory, CA Server, Internal DB,etc.
2. Authorization Rules • Define what users and devices get access to resources. • Example – All Employees, with Windows Laptops have full access.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 For your ISE’s Identity Stores reference
• Cisco ISE can reference Machine / User / MAC variety of backend Authentication identity stores including Active Directory, Generic LDAP or PKI Active Directory, PKI, LDAP, RSA SecurID and RADIUS Token.
EAPoL RADIUS • ISE’s local database can Local DB also be used and ERS APIs are supported for remote management.
user1 C#2!ç@_E( User/ Password Certificate Token RSA SecurID
Backend Database(s)
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 For your Profiling Example from ISE reference
Is the MAC Address from Apple
DHCP:host-name IP:User-Agent CONTAINS iPad CONTAINS iPad
I have some certainty that this device is an iPad
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104 For your Client attributes and traffic for Profiling reference How RADIUS, HTTP, DNS, DHCP (and other traffic) are used to classify clients
2 The Client’s DHCP/HTTP Attributes are captured 1 by the AP and provided • The ISE uses multiple attributes to The MAC in RADIUS Accounting build a complete picture of the address is messages by the WLC. checked end client’s device profile. against the DHCP DHCP/ known vendor HTTP • Information is collected from OUI database. HTTP Sensor sensors which capture different attributes • The ISE can even kick off an NMAP scan of the host IP to determine more details. HTTP UserAgent RADIUS
Mobile devices are quite chatty for 3 web applications, or they can also be redirected to one of ISE’s portals. ISE
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 For your Authorization Results – Permissions reference
Pre-canned attributes and user defined.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 BRKEWN-2016 FlexConnect – VLAN based central switching For your reference
• If RADIUS assigned VLAN exists locally at Flex AP (Group) level, switch locally on that VLAN. • If RADIUS assigned VLAN does not exist locally at Flex AP level, but exists centrally on the WLC, switch centrally on the dynamic interface associated with that VLAN. • If no VLAN is assigned or it does not exist locally at Flex AP level and does not exist centrally on the WLC, switch centrally on the default dynamic interface of the WLAN. DC
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 Cisco Wireless User-Based QoS Capabilities For your reference Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level
WMM Queue For the contractor user, the For the Employee user, the AAA server returned QoS- AAA server returned Voice Silver so even packets QoS-Platinum so packets marked with DSCP EF are marked with DSCP EF are confined to the Best Effort Video allowed to enter the WMM Queue. Voice Queue. Best Effort
Background Employee – QoS Tagged Packets Platinum QoS
Contractor – WLC Silver QoS Call Manager Access Point
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 Security Group Access (SGA) AireOS 8.3 and before – SXP peering from the WLC
SGT=5 IP Address SGT SGT = Security Group Tag 10.1.10.102 5 SXP = SGT eXchange Protocol 10.1.10.110 14 ISE SGT=5 SGACL = SGT ACL 10.1.99.100 12
IT Portal (SGT 4) Users, SXP 10.1.100.10 Endpoints WebAuth VLAN 100
Campus Network
802.1X Catalyst 3k-X Cat 6500 Speaker Listener Distribution MAB Agent-less Device
SGT Enforcement deny sgt-src 5 sgt-dst 4 Untagged Frame Tagged Frame The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL capable devices (e.g. Catalyst 3750-X) #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 Security Group Access (SGA) As of AireOS 8.4 and IOS-XE – SXP peering from the AP (802.11ac) SGT = Security Group Tag WLC SGT=5 SXP = SGT eXchange Protocol SGACL = SGT ACL IP Address SGT ISE 10.1.10.102 5 10.1.10.110 14 10.1.99.100 12
Users, Endpoints SXP
WebAuth SGACL Campus Network deny sgt-src 5 sgt-dst 4 802.1X AP Catalyst 3k-X MAB Listener Agent-less Device Speaker
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 For your reference Security Group Access (SGA) As of AireOS 8.4 and IOS-XE – SGT inline tagging at WLC or AP (802.11ac) SGT = Security Group Tag
SGT=5 SXP = SGT eXchange Protocol SGACL = SGT ACL ISE
SGT=5SGT=5
Users, WLC Endpoints
WebAuth SGACL Campus Network deny sgt-src 5 sgt-dst 4 802.1X AP Catalyst 3k-X MAB Tagged Frame Agent-less Device
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111 BRKSEC-3690 Security Group Access (SGA) As of AireOS 8.4 and IOS-XE – SGACL at the WLC or AP (802.11ac) SGT = Security Group Tag
SGT=5 SXP = SGT eXchange Protocol SGACL SGACL = SGT ACL ISE deny sgt-src 5 sgt-dst 4
Users, WLC Endpoints
WebAuth
802.1X AP MAB Agent-less Device
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112 BRKEWN-2020 TrustSec Integrated into SD-Access
CAPWAP Control Tunnel
VXLAN Data Tunnel (overlay network) WLC (3504, 5520, AP Overlay Network 8540, 8510, C9800) (1800, 2800, 3800) Edge Device Edge Devices
Hosts (End-Points) Underlay Network Underlay Control Plane
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 TrustSec as Natively Integrated into SD-Access
1. Control-Plane based on LISP 2. Data-Plane based on VXLAN
ORIGINAL ETHERNET IP PAYLOAD PACKET Supports L3 Overlay PACKET IN LISP ETHERNET IP UDP LISP IP PAYLOAD
Supports L2 & L3 Overlay PACKET IN ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD VXLAN
VRF + SGT
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114 For your A quick intro to Cisco Umbrella reference
ACME 208.67.220.220 Policies block gaming sites Internet DNS DNS Query Response
DNS Server 10.1.1.1 (or external DNS proxy to) 208.67.220.220
ACME
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115 For your WLC integration with Cisco Umbrella reference
Cisco Umbrella
DNS query
DNS response
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 Role Based Policy with Cisco Umbrella OpenDNS Profile Mapping in Local Policy
Contractor Employee Policy Policy
AAA user role
Contractor Employee
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117 Role Based Policy with Cisco Umbrella
DNS query
DNS response
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118 Role Based Policy with Cisco Umbrella
DNS query
DNS response
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119 Location Based Policy with Cisco Umbrella OpenDNS Profile Mapping in AP Group
Corporate Branch Policy Policy
Corporate HQ Branch Office
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120 For your WLC integration with StealthWatch reference
BRKSEC-3014 ISE pxGrid notifications CoA WLC
Quarantine
Netflow v9 records
BitTorrent
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121 For your Guests and BYOD, can’t hide... reference
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122 Wi-Fi Protected Access (WPA) 3 Coming up with AireOS, IOS-XE and 802.11ac Wave 2 APs or later • New Wi-Fi Alliance (WFA) certification.
• It certifies new security options defined in the IEEE 802.11-2016 standard.
• 3 main innovations: o Simultaneous Authentication of Equals (SAE) for WPA3-Personal (a variant of the Dragonfly handshake, resistant to offline dictionary attacks) o Protected Management Frame (PMF) now mandatory with WPA3 (already available but not always enforced with WPA2) o 192-bit security equivalent for WPA3-Enterprise (256-bit AES-GCM + 384-bit elliptic curves + SHA384 + 3072 bits RSA keys) WPA3-Personal == WPA3 PSK based SSID WPA3-Enterprise == WPA3 802.1X based SSID
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123 Use Cases Holistic Approach to Wireless Security
Use Actionable Insights for Accelerated Network Security Operations
End-to-End Visibility RF Analysis AVC Channel Scanning NetFlow Intelligent Capture
Correlated Insights Secure Client Access Proactive ISE Segmentation Policies
Right Place Right Time Right Action #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125 Granular Filtering with Policy tie-in to AVC
ROLE BASED APPLICATION POLICY • Alice(Nurse) and Bob(IT Admin) are both employees • Both Alice and Bob are connected to the same SSID • Alice can access certain applications (YouTube), Bob cannot
ROLE BASED + DEVICE TYPE APPLICATION POLICY • Alice can access inventory info on an IT provisioned Windows Laptop • Alice cannot access inventory info on her personal iPhone
ROLE BASED + DEVICE TYPE + APPLICATION SPECIFIC POLICY • Alice has limited access (rate limit) to Netflix , Jabber on her iPhone
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126 Role Based Policy with AVC Per-user profile via AAA
WLC RADIUS cisco-av-pair = avc-profile-name = AVC-Employee cisco-av-pair = avc-profile-name = AVC-Contract
Employee Contractor
YouTube Facebook Skype BitTorrent Facebook Skype
Employee Contractor
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127 mDNS and Bonjour Services Filter by WLAN and VLAN
Teacher Service Student Service Instance List Instance List Teacher Student Service Profile Service Profile mDNS Profiles – Select services Apple TV1 Apple TV1 mDNS Profile with Local File AirPrint AirPlay Policy – Services per-user Share iTunes AirPlay File AirPrint and per-device Sharing Share mDNS Policies – Services based on AP Location and user role
Apple TV2 Teacher Network Student Network mDNS Service Instances Groups
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 The secure wireless family business
• Learn the single elements and combine your own solution.
• Give it a try (e.g., PoC) before starting the production.
• KISS (Keep It Simple and Stupid)
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129 What other personal wireless security needs do you have?
Extra Q&A right outside the door Continue your education
Demos in the Walk-in labs Cisco campus
Meet the engineer Related sessions 1:1 meetings
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131 Complete your online session • Please complete your session survey after each session. Your feedback evaluation is very important.
• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.
#CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132 Thank you
#CLUS #CLUS