Andrew Pennington | December 28, 2018
This is the fourth post in an ongoing, deep dive series into the subject of segmentation. Each post will be written by a member of Arraya’s technical or tactical teams, focusing on a specific piece of this extremely broad, highly transformational, topic.
In this week’s post on segmentation, we will cover Cisco’s Identity Services Engine (ISE) and how we’ve used it in different scenarios to provide optimal network access control for our customers. The majority of use cases here will be with wireless access but this also applies to wired or VPN access. We will discuss leveraging the AAA override features available and why some may be better than others for different business needs.
As wireless continues to grow to be the main access method for network users, the shortcomings of the available frequency spectrum we have to work with have been realized. Wireless engineers must be as efficient as possible with that spectrum in order to get the best performance out of the network. One way to really limit the performance of a WLAN is to flood the air with unnecessary management traffic. Having too many SSIDs in a busy network will absolutely do this. The best-practice recommendation from most vendors is that no more than three or four SSIDs should be served by a given Access Point in a typical deployment. If you consider High Density environments such as sports stadiums, the recommendation is one or two at the most.
So, here is the problem. We know we can’t have everyone on the same network. We need to have segmentation for the different user roles. In the past, the only thing we could do was create a unique SSID for each security segment, causing SSID sprawl and crippling our network. What’s the solution? AAA-override.
Let’s consider a common network device and user base of employees and contractors with restricted access, employees that require full network access, IOT/ medical/ warehouse/ POS/ devices that require segmentation, guests, etc. The employees could be using personal devices or corporate-issued devices. Some of the network devices might not support 802.1x and would require a pre-shared key for authentication and encryption.
With Cisco ISE, we can handle all of that with only three SSIDs!
1) Open SSID with no encryption or credentials required for access – for the guests and visitors. Note – when WPA3 becomes the norm we can add encryption to an open network.
2) PSK SSID for the devices that don’t support dot1x. This could include Identity-based PSK which allows you to have separate keys configured on different groups of devices.
3) 802.1x SSID for everyone else which will likely be the majority of your client base.
Diving deeper into Cisco ISE use cases
How does it work? The wireless AP or controller is configured to authenticate users against a RADIUS server, such as the one included with Cisco ISE. ISE evaluates the specifics for each authentication, and based on the policy you define, it tells the wireless network how to segment that user. Simple!
Here are a few of the use cases that leverage this feature. ISE considers the specifics of the client authentication, such as:
- Authentication credentials. This could refer to a user/password combo OR digital certificates. It looks up attributes of the user in a directory database such as Microsoft Active Directory or the internal database.
- Device type. ISE profiles the device based on information it learns from the authentication itself or various probes you configure to feed it more info.
- Location, such as the AP, switch, floor or building where the client is located or whether it is a remote VPN session.
- Posture, which is the state of the client device as defined in a posture policy and reported by the client. This may include antivirus, OS patches, stored files, and more. This requires the AnyConnect client.
- MDM registration and compliance status.
- Time of day, SSID, and more less-common attributes.
After evaluating these attributes ISE can issue the AAA override or other NAC element:
- VLAN override. The client is placed on the specified VLAN, regardless of which VLAN is the SSID’s or port’s default. This works well in office environments with smartphones, tablets and laptops because these devices pick up on the fact that they need to get a new IP address right away.
- ACL override. The VLAN stays the same, but the specified ACL gets added to the client session. This may prove to be more seamless as DHCP address assignment does not need to re-occur.
- QOS override. Change the Quality of Service profile for user sessions to prioritize traffic.
- AVC override. Change the AVC profile for the session to allow or deny different applications to be used by the client.
- URL-redirect. Used to direct a user to a portal, for BYOD or guest onboarding for example.
- Trustsec SGT. A Security Group Tag gets applied to the session. We’ve used this in residential wireless deployments where a family of devices connect to the same SSID but require isolation from other groups of devices.
- Deny all access. Although not AAA override, it bears mentioning here.
By now you’re probably thinking about how you could leverage Cisco ISE in your environment to achieve the desired segmentation as efficiently and easily as possible. If so, please reach out to us! We’d be glad to help you realize the potential of Cisco ISE.
To learn more about segmentation and its role in today’s IT landscape, reach out to our team of experts by visiting: https://www.arrayasolutions.com/contact-us/.