Cisco ISE is Hardening Up; The Secure Access Wizard

The term “wizard” isn’t my favorite one.  It feels like I’m installing Windows for Workgroups 3.11 again or my Linksys WRT54G.  My own preference aside though, Cisco ISE 2.2 is an important release for Cisco and introduces some much needed simplification and adds some great new functionality.  This series of 7 videos took me just under 90 minutes to finish and now I’ve got a number of new things to talk about with enterprises that are looking ahead to software-defined networking.  Identity services will be an important component of that.

Many thanks to Jason Kunst (LinkedIn, Twitter), a Technical Marketing Engineer on the ISE team at Cisco!! The video’s provide a walk-through of how to deploy a few important features in about 5 minutes each:

  • Secure access and DOT1X network access
  • Guest access (hot-spot, self-registered, and employee-sponsored)
  • Bring Your Own Device using Dual and Single SSID deployment styles

Here’s the video playlist:

 

Here’s the breakdown of videos:

  1. ISE Secure Access Wizard Intro: If you saw early versions of this you may have seen it as Easy Wireless.  This tool greatly simplifies deployment of ISE services for wired and wireless access for employees, employee BYOD, and guest access.
  2. ISE Secure Access Wizard: Hotspot Guest Access in 5 minutes.
  3. ISE Secure Access Wizard: BOYD (Single SSID Style) in 5 minutes.
  4. ISE Secure Access Wizard: DOT1X deployed in 5 minutes.
  5. ISE Secure Access Wizard: Guest Self Registration deployment in 5 minutes.
  6. ISE Secure Access Wizard: BYOD (Dual SSID Style) deployment in 5 minutes.
  7. ISE Secure Access Wizard: Sponsored Guest Portal deployment in 5 minutes.

I’ve been running Cisco ACS since v1.2. What now?

I may be showing my age a bit here but I love Cisco ACS and started using it back when it was still in diapers at version 1.2.  The interface wasn’t the prettiest but it did one job and it did it REALLY well.  My beloved ACS is about to go in to retirement and move to… wherever auth servers go when they retire, leaving room for something new.

I don’t know what you’ve heard about Cisco ISE but if you look at the marketing materials you might think it does just about everything, including washing the dishes.  (Spoiler alert: it doesn’t do dishes.)  One thing Cisco ISE does REALLY well is take over where ACS is leaving off, and it’s not every expensive to do it, either.

For those of you wanting to know what this would mean for your environment, I’d like to direct you to 5 YouTube videos that will educate and train you on the entire process, with only a 2.5 hour time investment.  Thank you to Krishnan Thiuvengadam for posting these great videos!

Part 1: Overview and Planning for the ACS to ISE Migration (1 hour)

Part 2: Preparing for the Migration (24 minutes)

Part 3:  Migration Process and Demonstration – Video 1 of 3 (17 minutes)

Part 3:  Migration Process and Demonstration – Video 2 of 3 (29 minutes)

Part 3:  Migration Process and Demonstration – Video 3 of 3 (14 minutes)

 

Please let me know what you thought of these videos!

#WirelessFriday January 2017 – Questions and Responses

We had a great #WirelessFriday on January 20, 2017!  The topic was all about GUEST ACCESS. We answered questions such as: Is there a technical reason why guest access should be super easy? What kind of self-service guest authorization mechanisms are there? What would the guest experience be and how is that managed on the back-end?  If you weren’t able to join us live, you can watch the recording.  Here’s the questions that came up during the call and the responses from our panelists.

We heard from Robert Roulhac, Cisco Virtual Systems Engineer, Security Focus.

I would like to thank the following panelists:

  • Allan Ross, Enterprise Networking CSE, Cisco
  • Ben Edwards, Enterprise Networking CSE, Cisco
  • AJ Shah, Enterprise Networking CSE, Cisco

Q1.  How does SMS integration work?
A1.  ISE uses an SMS gateway to forward SMS messages to the user.

Q2.  Is there any way Guest can select or put in email address for sponsor ?
A2.  You can utilize a sponsor portal to create guest accounts for users. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/sponsor_guide/b_spons_SponsorPortalUserGuide_21/Support_Guests.html

Q3.  We have setup guest access in such a way that sponsor has to create account for Guest… Is there any way Guest can enter email add of employee and employee get email to approve guest request ?
A3.  Yes, Sponsors can also receive email notifications requiring their approval for self-registering guests. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html#task_1EAD5E171B7849EDA41 

Q4.  What if you don’t use ISE but currently have a guest anchor. Does this merge easily?
A4.  The deployment of ISE would be identical on a primary or a guest anchor controller.

Q5.  To clarify which is easier. Today I have an anchor what’s the advantage of ISE?
A5.  ISE provides the same functionality on a guest anchor as it would on an internal controller.

Q6.  Does ISE integrate with Meraki?
A6.  Yes it does. please see https://communities.cisco.com/docs/DOC-68192

Q7.  The guest service could then be provided on both the Meraki network and Corp HQ WLC?
A7.  Yes, Meraki is just another Network Access Device (NAD) in ISE.

Q8.  Is best practice to keep SSID’s down to a minimum to 3-4 range?
A8.  Yes, the fewer the better.  Each SSID requires management overhead of airtime. Management frames are sent at lowest set data rate and eats valuable airtime for data to clients. https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Multi-SSID_Deployment_Considerations 

Q9.  In a non-anchor deployment, the ACLs would have to allow guest traffic reach the corporate authentication server (ISE), correct?
A9.  That is correct for redirect.  To clarify, data traffic does not traverse the corporate network, only the webauth redirect for authentication 

Q10.  Does the auto-WLC-configuration script also configure url redirection for https?
A10.  the redirect url is passed from ISE to the WLC via radius when the user associates

Q11.  can the guest provisioning be utilized against an existing SSID?
A11.  Yes once the WLC is integrated with ISE

Q12.  what impact does WLC settings on timeout have?
A12.  Authorization timeouts should be set in ISE and not in the WLC. If you are using ISE, it is advised to remove the session timeout values from the WLC.

Q13.  Isnt there a security concern allowing 80 or 443 to ISE from guest endpoints?
A13.  ISE is a hardened appliance. Access is controlled via the pre-auth ACL to only the ports the ACL allows 

Q14.  does the ISE guest SSID provisioning create the ACL on the WLC also?
A14.  Using the guest wizard in ISE 2.2, it will be provisioned on the WLC via the wizard. Before ISE 2.2 the ACL will have to be manually configured.

 

5 Amazing New @Cisco_Mobility Features Because of Exclusive Apple/Cisco Partnership

THE EDGE MATTERS! It matters what kind of AP’s we join and what kind of switch we plug in to. There are some who want us to believe the edge is a commodity because they don’t (or can’t) have what we have. Our products are built for digital business with security woven throughout (Be sure to ask about the Stealthwatch (demo) promotion when you buy Cisco ONE licenses!).

I want to bring to your attention a new Cisco Blog article on Spark & the Cisco/Apple Exclusive Partnership. It’s a GREAT one to share on social media! Then as I was putting this note together an article came across my Spark feed:

Neat article on the Cisco / Apple partnership and iOS 10. http://www.zdnet.com/article/cisco-apple-partnership-comes-to-fruition-with-ios-10

How timely! It’s funny though because there’s either super high level descriptions of what these new features are or it’s super technical. The statement “Apple devices work better on a Cisco network” is 100% true and 100% defendable. AND it’s true for both On Premises and Meraki Cloud Managed wireless! Trouble is some of the available detail is way too high level:

  • Higher reliability for real-time applications—66 times decrease in probability of poor audio quality experiences
  • Improved quality of experience—10 times more successful web browsing experience
  • Enhanced network performance—86 percent reduction in network message load from the device during roaming
  • Ease of management—Up to 50 percent reduction in network overhead due to SSIDs

Or it gets vague & overly-technical in the On Premises release notes for the new 8.3 controller code:

  • Fastlane QoS
  • 802.11r Fast Transition
  • 802.11v BSS Transition Support
  • Assisted Roaming
  • EDCA Parameters

So here’s the medium-techie way to describe the new Apple features.  These are available NOW with our 8.3 code for On Premises controllers and AP’s as well as our Meraki Cloud managed solution…

  • Fastlane QoS: With iOS 10 devices customers have the ability to “fast lane” certain applications, granting prioritized network bandwidth to apps with an iOS 10-embedded quality of service (QoS) tag. The new capability offers end-to-end improvement in performance across iOS applications.

(Configure On Premises Fastlane QoS) (Fastlane on Meraki)

  • 802.11r Fast Transition: 802.11r (aka. Fast Roaming) introduces a new concept of roaming where the process of roaming is done even before the client actually moves to the target AP (this is called Fast Transition).

(Configure On Premises Fast Transition) (Configure 802.11r in Meraki)

  • 802.11v BSS Transition Support: Two cool things happen here:
    • Network assisted Power Savings which helps clients to improve battery life by enabling them to sleep longer. As an example, mobile devices typically use a certain amount of idle period to ensure that they remain connected to access points and therefore consume more power when performing the following tasks while in a wireless network.
    • Network assisted Roaming which enables the WLAN to send requests to associated clients, advising the clients as to better APs to associate to. This is useful for both load balancing and in directing poorly connected clients.

(Here’s how to configure it for On Premises.)

  • Assisted Roaming: This is also known as 802.11k. The 802.11k standard allows clients to request reports containing information about known neighbor APs that are candidates for roaming.

(Configure On Premises Assisted Roaming) (Configure in Meraki)

  • EDCA Parameters: Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality-of-service (QoS) traffic. This new version of code gives much better control to network administrators.

(Configure & tune On Premises EDCA) (Configure Meraki Bandwidth and Traffic Shaping)

Please comment below and share this article and ask your Cisco reseller/sales team about the Cisco & Apple partnership and how you can be ready to take advantage of these amazing features.

13 Things Your WLAN Should be Doing (or NOT) – How Do You Measure Up?

Regardless of what WLAN vendor you have, there are 13 things you should be doing with your WLAN.

  1. Disable 1,2,5.5,11 data rates – just make sure you’re REALLY done with 802.11b (hey, 1992 called, they want their barcode scanner back)
  2. No more than 4 SSIDs active per radio – Any more and you’re creating interference for yourself.
  3. Turn on the multicast functions for all cases – Make sure it’s configured! If you don’t your multicasts will go out as broadcasts and everyone suffers.
  4. Mobility group (same name) should be 15 controllers or less – It should cover only the RF roaming space. No need for messages from one campus to flow to another.
  5. Have a low radius timeout depending on usage scenario (not a general change) – Tends to speed up authentications.
  6. Internal DHCP servers (on controllers/AP’s) shouldn’t be used – They just don’t scale well. (Great for a lab, however.)
  7. Don’t use local EAP – Does not scale well on larger networks.
  8. Recommend to change EAP retries to 4, timeout to 400ms – This speeds up the failure if someone types the wrong password.
  9. Minimum RSSI to –80 for rogue AP’s – Who cares if I can hear someone across the street. It’s not a “rogue”.
  10. Disable all rogue auto contain settings – unless absolutely needed for security reasons
  11. Enable Application Visibility – Even if you’re not building a policy for QoS or restrictions, at least it’s there for troubleshooting.
  12. Enable Fast SSID – Especially for Apple Clients
  13. Enable CleanAir if you have AP’s that are capable – Take advantage of this feature.

How did you stack up?