Blog index > Archives > Posts Tagged ‘Cybersecurity courses’
avatar

Cisco ISE 2.1 Easy Connect

Tuesday, September 13th, 2016

One of the more complex configuration component of a Cisco ISE deployment, which possibly was a stumbling block in deciding to deploy this in a corporate network, was the configuration of 802.1x. 802.1x required client side supplicants (native or Cisco provided) to be configured, specialised switch configuration, an in-depth understanding of RADIUS protocol, all which added much complexity and time to the deployment.

With ISE 2.1 release Cisco introduced Easy Connect which enables you to easily connect users from a wired endpoint to a network in a secure manner by authenticating them through an Active Directory Domain Controller and not by Cisco ISE. Easy Connect supports wired connections using MAB, which is much easier to configure than 802.1X.

Easy Connect supports two modes, Enforcement-mode which actively downloads the authorization policy to the network device for enforcement based on the user credentials, and a Visibility-mode which ISE publishes session merge and accounting information received from the NAD device sensor in order to send that information to pxGrid.

So Easy Connect Enforcement mode process is as follows:CUFjgXYWwAAt9KH

1. The user connects to the NAD from a wired endpoint (running windows).

2. The NAD (which is configured for MAB) sends an access request to ISE. ISE responds with access, based on user configuration, allowing the user to access AD. Configuration must allow at least access to DNS, DHCP and AD. (this will be part of the pre-auth ACL)

3. The user logs in to the domain and a security audit event is sent to ISE.

4. ISE collects the MAC address from RADIUS and the IP address and domain name, as well as accounting information (login information) about the user, from the security audit event, using WMI.

5. Once all data is collected and merged in the ISE session directory, ISE issues a CoA to the NAD (based on the appropriate policy), and the user is provided access by the NAD to the network based on that policy.

Easy Connect Restrictions include:

MAC Authentication Bypass (MAB) supports Easy Connect. Both MAB and 802.1X can be configured on the same port, but you must have a different ISE policy for each service.

Only MAB connections are currently supported. You so not need a unique authentication policy for connections, because the connection is authorized and permissions are granted by an Easy Connect condition defined in the authorization policy.

Only Cisco Network Access Devices (NADs) are supported.

IPv6 is not supported.

Wireless connections are not currently supported.

This is a great feature added to ISE and one that will give corporates more confidence in deployment as the workload and complexity of ISE has now become a little less.

For further information have a look at the following link: ISE Admin guide

 

gabriel-bryson

Gabriel Bryson

Lead Security Instructor for Fast Lane UK

No Comments
avatar

Cisco 2016 Midyear Cybersecurity Report

Thursday, September 8th, 2016

Defenders must reduce attackers’ time to operate. It is the key to undermining their success.

Attackers currently enjoy unconstrained time to operate. Their campaigns, which often take advantage of known vulnerabilities that organizations and end users could have— and should have—known about and addressed, can remain active and undetected for days, months, or even longer. Defenders, meanwhile, struggle to gain visibility into threat activity and to reduce the time to detection (TTD) of both known and new threats. They are making clear strides but still have a long way to go to truly undermine adversaries’ ability to lay the foundation for attacks—and strike with high and profitable impact.

The Cisco® 2016 Midyear Cybersecurity Report—which presents research, insights, and perspectives from Cisco Security Research—updates security professionals on the trends covered in our previous security report while also examining developments that may affect the security landscape later this year.cisco_logo-svg

Can you reduce an adversary’s chance to carry out a cyber attack? Download Cisco’s Midyear Cybersecurity Report now for the latest research, insights and perspectives from Cisco’s security experts. Download now !

To view Fast Lane’s Cisco Cybersecurity courses please click here.

No Comments