cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1984
Views
5
Helpful
5
Replies

Campus use cases for 802.1x with TEAP, ISE, and SGT

sanchezeldorado
Level 1
Level 1

Hello!

I'm trying to modernize/optimize my network. I see a lot of documents about how to setup individual pieces, but I'm struggling to find any documentation that really shows how all the pieces of my network should fit together in the real world. I know I'll need to modify any design for my specific needs, but I don't want to reinvent the wheel. Up to this point, every switch has been programmed manually and VLANs are split up all over the place. I'm adding 802.1x authentication both wired and wireless with ISE, and I'm investigating using Cisco TrustSec with SGTs at some point in the future. I don't want to waste time and effort configuring 802.1x one way only to restructure it later when adding SGTs. Here are a few of the things I'm looking for insight into.

I have around 35 VLANs per site, and for the most part, they are all in the same security zone. For efficiency, I was thinking that one VLAN per switch would be a good way to go, but dynamic VLAN assignment within ISE seems like it would be overly complex. How do larger organizations typically configure VLANs across a campus? Do you manually assign VLANs to switch ports and only use ISE to set the VLAN if a device can't authenticate or fails a posture check?

I'm using TEAP for both computer and user authentication. I'm new to ISE policy structure, and I'm unsure how best to utilize both user and computer authentication. For example, one use case I can think of off the top of my head is to use a DACL to block access to the management VLAN unless the user is a member of the network admins group. Then allow almost everything else. If I'm using computer and user authentication, how do people typically use dynamic VLAN assignment in the policy structure? Is there any documentation about a sample use case for an entire policy structure using EAP chaining?

I'm not in a place to use SGTs yet mostly due to licensing, but that is the end goal. Is setting up DACLs counter productive if I plan to use SGTs in the future? If not, I'm looking for a sample configuration of how they can best be used together.

Thanks in advance!

2 Accepted Solutions

Accepted Solutions

Larger orgs do not use VLAN based enforcement.  dACLs or SGTs are used.  At that point the VLAN/IP of the endpoint doesn't matter.  Enforcement is applied with a dACL on the switchport or via SGT.  

dCloud has some great labs you can use to get a feel for TEAP/enforcement in general: https://dcloud.cisco.com/

Also checkout the official ISE YouTube channel: https://www.youtube.com/c/CiscoISENetworkSecurity

With anything NAC related a crawl, walk, run approach is always advisable.  Start with basic 802.1X/MAB in monitoring mode, remediate endpoints, fix policies, rinse and repeat.  Then implement enforcement using dACLs and/or SGTs.  TrustSec is more scalable but also more complex then dACLs, really depends on organization size and specific use-cases.  

View solution in original post

Arne Bier
VIP
VIP

Dynamic VLAN assignment is very common and very easy in the wireless world (L2 auth like EAP-PEAP/TLS etc.) - but in wired world dynamic VLAN assignment is more niche, because it's tricky for the end devices to deal with this - they don't know it's happened and then DHCP breaks. You can bounce a port of course, but that brings its own challenges (PoE for example doesn't like to be bounced). 

I once had a customer requirement to have a plug-any-device-anywhere in the access layer and dynamic VLAN assignment was the only way to get it done, since this was a non-CTS deployment (no SDA, no SGT etc.). I am now also a big fan of NOT assigning VLANs dynamically on switch ports, but to only return a dACL (permit all for employee devices using EAP-TLS, and more strict dACL for stuff that was MAB authd)

There is no correct way to do this. There is a trade off between ultimate security (operational nightmare) and designing a first-line-of-defence (access layer auth) and then designing the rest of the network with mechanisms that protect you when a device at the access layer goes nuts (infected with malware or hacker).  Defence in depth etc.  NAC is just step 1 in the greater plan.

In large organisations the management of certs should not be underestimated - for Windows domain joined it's a no brainer. For the rest (printers, phones, cameras, etc) you need to consider HOW to manage the Lifecycle of those certs. Most folks deploy certs and then fail to renew. Catastrophe. MAB. That's not security at all - so the best we can do is to make the job of MAC spoofing as difficult as we can (using profiling authZ logic) and then apply nice dACLs to thwart the hacker (or penn tester) when they spoof the MAC - and they will most likely succeed.  You can also enable Anomaly Detection in ISE. But I find it throws a lot of false positives. At least that's my experience.

Keep us posted on your experiences. Sharing is caring  

View solution in original post

5 Replies 5

Larger orgs do not use VLAN based enforcement.  dACLs or SGTs are used.  At that point the VLAN/IP of the endpoint doesn't matter.  Enforcement is applied with a dACL on the switchport or via SGT.  

dCloud has some great labs you can use to get a feel for TEAP/enforcement in general: https://dcloud.cisco.com/

Also checkout the official ISE YouTube channel: https://www.youtube.com/c/CiscoISENetworkSecurity

With anything NAC related a crawl, walk, run approach is always advisable.  Start with basic 802.1X/MAB in monitoring mode, remediate endpoints, fix policies, rinse and repeat.  Then implement enforcement using dACLs and/or SGTs.  TrustSec is more scalable but also more complex then dACLs, really depends on organization size and specific use-cases.  

Thank you for that information. The VLAN assignment makes sense. I'll only assign VLANs dynamically if some remediation or restrictions are needed or if I'm using MAB. Likewise, I'm sure that once I have dACLs deployed and I want to start using SGTs, I can start at the edge and work my way in. Those links will be very helpful as well.

I'm still wondering if there are any specific examples out there of policy configuration in the real world for applying dACLs while using EAP chaining, but I'm sure I have what I need to start. Thanks!

Yeah there is a webinar on the YouTube channel specifically around TEAP.  There is also a dCloud lab specific to TEAP.

Arne Bier
VIP
VIP

Dynamic VLAN assignment is very common and very easy in the wireless world (L2 auth like EAP-PEAP/TLS etc.) - but in wired world dynamic VLAN assignment is more niche, because it's tricky for the end devices to deal with this - they don't know it's happened and then DHCP breaks. You can bounce a port of course, but that brings its own challenges (PoE for example doesn't like to be bounced). 

I once had a customer requirement to have a plug-any-device-anywhere in the access layer and dynamic VLAN assignment was the only way to get it done, since this was a non-CTS deployment (no SDA, no SGT etc.). I am now also a big fan of NOT assigning VLANs dynamically on switch ports, but to only return a dACL (permit all for employee devices using EAP-TLS, and more strict dACL for stuff that was MAB authd)

There is no correct way to do this. There is a trade off between ultimate security (operational nightmare) and designing a first-line-of-defence (access layer auth) and then designing the rest of the network with mechanisms that protect you when a device at the access layer goes nuts (infected with malware or hacker).  Defence in depth etc.  NAC is just step 1 in the greater plan.

In large organisations the management of certs should not be underestimated - for Windows domain joined it's a no brainer. For the rest (printers, phones, cameras, etc) you need to consider HOW to manage the Lifecycle of those certs. Most folks deploy certs and then fail to renew. Catastrophe. MAB. That's not security at all - so the best we can do is to make the job of MAC spoofing as difficult as we can (using profiling authZ logic) and then apply nice dACLs to thwart the hacker (or penn tester) when they spoof the MAC - and they will most likely succeed.  You can also enable Anomaly Detection in ISE. But I find it throws a lot of false positives. At least that's my experience.

Keep us posted on your experiences. Sharing is caring  

sanchezeldorado
Level 1
Level 1

Thank you both! I'll start by crawling and try to find that balance. I had never heard of dCloud, but I'm definitely going to have to give it a try.