Testing will show: how to prepare for the implementation of Cisco ISE and understand what features of the system you need

How often do you buy something spontaneously, succumbing to cool advertising, and then this initially desired thing gathering dust in the closet, pantry or garage before the next general cleaning or relocation? As a result - disappointment because of unjustified expectations and wasted money. Much worse when this happens with a business. Very often, marketing tricks are so good that companies acquire an expensive solution without seeing the full picture of its application. Meanwhile, trial testing of the system helps to understand how to prepare the infrastructure for integration, what functionality and in what volume it should be implemented. So you can avoid a huge number of problems due to the choice of the product "in the blind." In addition, the introduction of a competent "pilot" will bring the engineers much less damaged nerve cells and gray hair. Let us see why pilot testing is so important for a successful project, using the example of a popular tool for controlling access to the corporate network - Cisco ISE. Consider both typical and completely non-standard options for the application of solutions that have been encountered in our practice.

Cisco ISE - "Radius-server on steroids"

The Cisco Identity Services Engine (ISE) is a platform for creating an access control system for an organization’s local area network. In the expert community, the product for its properties is called "Radius-server on steroids." Why is that? In fact, the solution is a Radius-server, to which a huge number of additional services and “tweaks” are screwed, allowing to receive a large amount of contextual information and apply the resulting set of data in access policies.

Like any other Radius server, Cisco ISE interacts with the network equipment of the access level, collects information about all attempts to connect to the corporate network and, based on authentication and authorization policies, allows or does not allow users on the LAN. However, the possibility of profiling, sampling, integration with other information security solutions makes it possible to significantly complicate the logic of authorization policy and thereby solve rather difficult and interesting tasks.
')

Implement can not be piloted: why do you need testing?

The value of pilot testing is to demonstrate all the capabilities of the system in a specific infrastructure of a specific organization. I am convinced that piloting Cisco ISE before deployment is useful to all project participants, and here's why.

For integrators, this gives a clear idea of ​​the customer's expectations and helps to form a correct technical task containing much more details than the common phrase “make it so that everything is good”. “Pilot” allows us to feel the pain of the customer, to understand which tasks are priorities for him and which are secondary. For us, this is a great opportunity to understand in advance what equipment is used in the organization, how the implementation will take place, on what platforms, where they are located, and so on.

During the pilot testing, customers see the real system in action, familiarize themselves with its interface, can check if it is compatible with their hardware, and get a holistic view of how the solution will work after a full implementation. “Pilot” is the very moment when you can see all the “pitfalls” that you will most likely encounter during integration, and decide how many licenses you need to purchase.

What can "float" during the "pilot"

So, how to properly prepare for the implementation of Cisco ISE? From our experience, we have counted 4 main points that are important to take into account in the pilot testing of the system.

Form factor

First you need to decide in which form factor the system will be implemented: physical or virtual uplines. Each option has advantages and disadvantages. For example, the strength of physical apples is predictable performance, but one should not forget that such devices become obsolete over time. Virtual aplines are less predictable, because depend on the hardware on which the virtualization environment is deployed, but at the same time they have a serious plus: if you have support, you can always upgrade to the latest version.

Is your network equipment compatible with Cisco ISE?

Of course, the ideal scenario would be to connect all the equipment to the system at once. However, this is not always possible, as many organizations still use unmanaged switches or switches that do not support some of the technologies that run the Cisco ISE. By the way, it is not only about switches, it can also be wireless controllers, VPN hubs, and any other equipment that users connect to. In my practice, there have been cases when, after demonstrating the system, for a full-fledged implementation, the customer updated almost the entire fleet of access level switches to modern Cisco equipment. To avoid unpleasant surprises, you should find out in advance the proportion of unsupported equipment.

Are all your devices typical?

In any network there are typical devices, with the connection of which there should be no difficulties: automated workstations, IP phones, Wi-Fi access points, video cameras and so on. But it also happens that you need to connect non-standard devices to the LAN, for example, RS232 / Ethernet bus signal converters, uninterruptible power supply interfaces, various technological equipment, etc. It is important to determine the list of such devices in advance so that you already have an understanding how technically they will work with Cisco ISE.

Constructive dialogue with IT people

Often, Cisco ISE customers are security departments, and IT departments are usually responsible for setting up access level switches and Active Directory. Therefore, productive interaction between security guards and IT specialists is one of the important conditions for a smooth implementation of the system. If the latter perceive the integration "in hostility", it is worth explaining to them how the decision will be useful for the IT department.

Top 5 Cisco ISE Case

In our experience, the necessary functionality of the system is also detected at the pilot testing stage. Below are some of the most popular and less common case studies using the solution.

Secure LAN access over the wire with EAP-TLS

As shown by the results of research by our pentesters, quite often for intrusion into the company's network, attackers use ordinary sockets to which printers, telephones, IP cameras, Wi-Fi points and other non-personal network devices are connected. Therefore, even if access to the network is based on the dot1x technology, but alternative protocols are used without the use of user authentication certificates, the likelihood of a successful attack with session interception and password brute force is high. In the case of the Cisco ISE, it will be much more difficult to get the certificate back - hackers will need much more computing power, so this case is very effective.

Dual-SSID Wireless Access

The essence of this scenario is to use 2 network identifiers (SSID). One of them can be called “guest”. Through it, both guests and employees of the company can enter the wireless network. When trying to connect, the latter are redirected to a special portal where provisioning takes place. That is, the user is issued a certificate and is configured his personal device to automatically reconnect to the second SSID, which already uses EAP-TLS with all the advantages of the first case.

MAC Authentication Bypass and Profiling

Another popular case is to automatically determine the type of device you are connecting and apply the correct limits to it. What makes him interesting? The fact is that there are still quite a few devices that do not support 802.1X authentication. Therefore, such devices have to be allowed into the network at the MAC address, which is fairly easy to fake. Here Cisco ISE comes to the rescue: with the help of the system, you can see how the device behaves on the network, create its profile and associate it with a group of other devices, for example, an IP phone and a workstation. When an attacker attempts to spoof a MAC address and connect to the network, the system will see that the device profile has changed, will give a signal of suspicious behavior and will not allow the suspicious user to the network.

Eap-chaining

The EAP-Chaining technology implies sequential authentication of the working PC and the user account. This case is widespread, because Many companies are still not welcome the connection of employees' personal gadgets to the corporate LAN. Using this approach to authentication, you can check whether a particular workstation is a member of a domain, and if the result is negative, the user either does not get into the network or log in, but with certain restrictions.

Posturing

This case deals with the assessment of the compliance of the composition of the workstation software with the requirements of information security. Using this technology, you can check whether the software is updated on the workstation, if the security features are installed on it, if the host firewall is configured, etc. Interestingly, this technology also allows solving other non-security tasks, for example, checking for the presence of necessary files or installing system-wide software.

Less common are also such scenarios for using Cisco ISE as access control with pass-through domain authentication (Passive ID), SGT-based microsegmentation and filtering, as well as integration with mobile device management (MDM) and vulnerability scanners (Vulnerability Scanner).

Non-standard projects: why else you might need Cisco ISE, or 3 rare cases from our practice

Linux Access Control

Once we solved a rather non-trivial case for one of the customers who already had a Cisco ISE system in place: we needed to find a way to control user actions (mostly admins) on servers running Linux. In search of an answer, we got the idea to use the free software PAM Radius Module, which allows us to log in to servers running Linux with authentication on an external radius server. Everything in this plan would be good if it were not for one “but”: the radius server, sending a response to the authentication request, gives only the name of the account and the result - assess accepted or assess rejected. Meanwhile, for authorization in Linux, you need to assign at least one more parameter - the home directory, so that the user at least gets somewhere. We did not find a way to give it as a radius attribute, so we wrote a special script for remote creation of accounts on the hosts in semi-automatic mode. This task was quite feasible, since we dealt with administrator accounts, the number of which was not so large. Then users came to the necessary device, after which they were assigned the necessary access. A reasonable question arises: is it necessary to use Cisco ISE in such cases? Actually, no - any radius server will do, but since the customer already had this system, we simply added a new chip to it.

Inventory "iron" and software in LAN

Once we were working on a project to supply Cisco ISE to one customer without prior pilot. There were no clear requirements for the solution, plus we were dealing with a flat, non-segmented network, which complicated the task. During the project, we configured all possible profiling methods that the network supported: NetFlow, DHCP, SNMP, integration with AD, etc. As a result, MAR access was configured with the ability to log into the network when authentication failed. That is, even if the authentication was not successful, the system still allowed the user to the network, collected information about him and recorded it in the ISE database. Such monitoring of the network over several weeks has helped us to identify plug-in systems and non-personal devices and to develop an approach to their segmentation. After that, we additionally configured a subscription to install the agent on workstations in order to collect information about the software installed on them. What is the result? We managed to segment the network and determine the list of software that needed to be removed from workstations. I will not hide, further tasks on the distribution of users by domain groups and differentiation of access rights took away a lot of time from us, but in this way we got a complete picture of what kind of hardware the customer had on the network. By the way, it was easy due to the good work of the out-of-box profiling. Well, where profiling did not help, we looked ourselves, highlighting the switch port to which the equipment was connected.

Remote software installation on workstations

This case is one of the strangest in my practice. One day a customer came to us with a cry for help - when implementing Cisco ISE, something went wrong, everything broke, and no one else could get access to the network. We began to understand and found out the following. The company had 2,000 computers that were managed under an administrator’s account in the absence of a domain controller. For the purpose of scheduling, Cisco ISE has been implemented in the organization. It was necessary to somehow understand whether an antivirus was installed on existing PCs, whether the software environment was updated, etc. And since IT administrators had network equipment in the system, it is logical that they had access to it. After looking at how it works, and after having tested their PCs, the administrators decided to install software on employees' workstations remotely without personal visits. Just imagine how many steps you can save per day! Admins conducted several checks of the AWS for the presence of a specific file in the C: \ Program Files directory, and in its absence, automatic remediation was launched with a link to the file storage for the installation .exe file. This allowed ordinary users to go to the file and download the necessary software from there. Unfortunately, the admin didn’t know the ISE system badly and damaged the poshringing mechanisms — he wrote the policy incorrectly, which led to the problem, which we were connected to. Personally, I am genuinely surprised by such a creative approach, because it would be much cheaper and less labor-intensive to create a domain controller. But as a proof of concept it worked.

For more on the technical details of the introduction of Cisco ISE, see my colleague ’s article , Practice for Implementing Cisco ISE. Look engineer .

Artem Bobrikov, design engineer of the Jet Information Systems Information Security Center

Afterword :
Despite the fact that this post talks about Cisco ISE, the described issues are relevant for the entire class of NAC solutions. It’s not so important what vendor’s decision is planned for implementation - most of the above will remain applicable.