Demystifying TrustSec,
Identity, NAC and ISE

Hosuk Won, TrustSec TME
howon@cisco.com
Secure Access & Mobility Product Group

#CiscoPlus

Session Abstract

• This session is a technical breakout that will help demystify
the technology behind the Cisco TrustSec System,
including the Identity Services Engine.
• We will build use cases to introduce, compare, and contrast
different access control features and solutions, and discuss
how they are used within the TrustSec System.
• The technologies that will be covered include user & device
authorization, 802.1X, Profiling Technology, Supplicant‘s,
certificates/PKI, Posture, CoA, RADIUS, EAP, Guest
Access, Security Group Access (SGA), and 802.1AE
(MacSec).
• All of the technologies will be discussed in relation with
Cisco‘s Identity Services Engine

#CiscoPlus

Session Objectives
At the end of the session, you should understand:

• The many parts and pieces that make up Cisco‘s TrustSec
Solution
• How 802.1X and SGA work
• The benefits of deploying TrustSec
• The different deployment scenarios that are possible

You should also:

• Provide us with feedback!
• Attend related sessions that interest you
• Have a nice glossary of terms at your disposal
#CiscoPlus

Cisco‘s Trusted Security (TrustSec)

#CiscoPlus

What is TrustSec
• Yes, it can be confusing

• Think of it as ―Next-Generation NAC‖
• TrustSec is a System approach to Access Control:
IEEE 802.1X (Dot1x)
Profiling Technologies
Guest Services
Secure Group Access (SGA)
MACSec (802.1AE)
Identity Services Engine (ISE)
Access Control Server (ACS)

#CiscoPlus

So, TrustSec = Identity, Right?

• Yes, but it refers to an Identity System (or solution)
Policy Servers are only as good as the enforcement device
(Switches, WLC‘s, Firewalls, etc…)
• But what is ―Identity‖:
• Understanding the Who / What / Where / When & How of a user
or device‘s access to a network.

#CiscoPlus

Why Identity Is Important
Who are you?
Keep the Outsiders
1 802.1X (or supplementary method) Out
authenticates the user

Keep the Insiders
Where can you go? Honest
2 Based on authentication, user is
placed in correct VLAN

What service level to you receive? Personalize the
3 The user can be given per-user Network
services (ACLs, Macros, SGA)

What are you doing? Increase Network
4 The user‘s identity and location can Visibility
be used for tracking and accounting

#CiscoPlus

What Is Authentication?

• Authentication is the process of establishing and
confirming the identity of a client requesting services

I’d Like to Withdraw $200.00 Please.

Do You Have Identification?

Yes, I Do. Here It Is.

An Authentication System Is Only as Strong as the Method of Verification Used

#CiscoPlus

What Is Authorization?
• Authorization is the process of granting a level of access to the
network
I’d Like to Withdraw $200.00 Please.

Do You Have Identification?

Yes, I Do. Here It Is.

Thank You. Here is your money.

#CiscoPlus

The Business Case

#CiscoPlus

Business Case

• Throughout the presentation, we will refer to a business
case. One that will continue to evolve:
Company: Retailer-X
Problem Definition:
The company stores credit card data from all sales transactions.
As with all companies: Vendors & Guests are constantly visiting Retailer-
X, to pitch new products to be sold, or even to sell network, security &
collaboration equipment to Retailer-X.
Company must ensure that only Retailer-X employees are gaining access to
the network.
Solution: Identity with 802.1X

#CiscoPlus

Default Port State State without
Default Port without 802.1X 802.1X

No Authentication Required

 No visibility
 No Access Control

?
?
USER

#CiscoPlus

Default Security with
Default Security with 802.1X 802.1X

Before Authentication

 No visibility (yet)
 Strict Access Control
One Physical Port ->Two Virtual ports
Uncontrolled port (EAPoL only)
Controlled port (everything else)

?
?
USER

ALL traffic except EAPoL is dropped

#CiscoPlus

Default Security with
Default Security with 802.1X 802.1X

After Authentication

 User/Device is Known
 Identity-based Access Control
• Single MAC per port

Looks the
same as
without
802.1X

?

Authenticated User: Sally
Having read your mind Sally, that
Authenticated Machine: XP-ssales-45 is true, unless you apply an
authorization, access is wide
open. We will discuss restricting
access at a later time.

#CiscoPlus

Revisit: Business Case

• Company: Retailer-X
• Problem Definition:
The company stores credit card data from all sales transactions.
As with most companies: Vendors & Guests are constantly visiting Retailer-X,
to pitch new products to be sold, or even to sell network, security &
collaboration equipment to Retailer-X.
Company must ensure that only Retailer-X employees are gaining
access to the network.
• Solution: Identity with 802.1X

#CiscoPlus

Revisit: Business Case
• Did we meet the business case? YES!
• But what was missing?
• What lessons have we learned?
We called Dot1x an "access prevention" technology

#CiscoPlus

What Happened? What went Wrong?
@ Retailer-X, BEFORE Monitor Mode is available …

I‘ve done my
homework in Proof of
Concept Lab and it
looks good. I‘m turning
on 802.1X tomorrow…

Enabled 802.1X
IT Mgr.
I can‘t connect to my
network. It says
Authentication failed
but I don‘t know how
to fix. My presentation
is in 2 hours…

Help Desk call increased by 40% #CiscoPlus

What was missing?
• What lessons were learned?
• Access-Prevention Technology
A Monitor Mode is necessary
Must have ways to implement & see who would succeed & who would fail
Determine why, and then remediate before taking Dot1x into a stronger enforcement
mode.
• Solution = Phased Approach to Deployment:
Monitor Mode
Authenticated Mode
Enforcement Mode
-or-
Closed Mode

#CiscoPlus

Monitor Mode
A process, not just a mode. • Enables 802.1X Authentication on the
Switch
Interface Config • But: Even failed Authentication will gain
interface GigabitEthernet1/0/1
authentication host-mode multi-auth
Access
authentication open • Allows Network Admins to see who
authentication port-control auto
mab
would have failed, and fix it, before
dot1x pae authenticator causing a Denial of Service 

Pre-AuthC Post-AuthC

SWITCHPORT SWITCHPORT

P P
DH C TFTP D HC TFTP

5 P 5 P
KRB HT T KRB HT T

oL oL
E AP Permit All EA P Permit All

Traffic always allowed #CiscoPlus

Authenticated Mode
If Authentication is Valid, then Full Access!
Interface Config • Monitor Mode + ACL to limit traffic flow
interface GigabitEthernet1/0/1 • AuthC success = Full Access
authentication open
• Failed AuthC would only be able to
authentication port-control auto communicate to certain services
mab
dot1x pae authenticator
• WebAuth for non-Authenticated
ip access-group default-ACL in



P P
DH C TFTP DH C TFTP
5 P
HT T
P
KRB
5 HT T
KRB
L Permit L
E AP o E AP o Permit All
Some
#CiscoPlus

Enforcement Mode
If Authentication is Valid, then Specific Access!
Interface Config • AuthC Success = Role Specific Access
interface GigabitEthernet1/0/1 • dVLAN Assignment / dACLs
authentication open
• Specific dACL, dVLAN
authentication port-control auto • Secure Group Access
mab
• Still Allows for pre-AuthC Access for
ip access-group default-ACL in Thin Clients, PXE, etc…
• WebAuth for non-Authenticated



P P
DHC TFTP DHC RDP

KRB
5
HTT
P
KRB
5 HTT
P
SGT
L Permit L
E APo E AP o
Some Role-Based ACL
#CiscoPlus

Closed Mode
No Access prior to Login, then Specific Access!
Interface Config • Default 802.1X Behavior
interface GigabitEthernet1/0/1 • No access at all prior to AuthC
authentication port-control auto
• Still use all AuthZ Enforcement Types
mab • dACL, dVLAN, SGA
• Must take considerations for Thin
Clients & PXE, etc…



P
DHC
P
T FT P DH C TFTP
5
HTT
P SGT
K RB
5
HT T
P KR B
Permit oL Permit All
EA P
oL E AP
EAP
- or -
#CiscoPlus
Role-Based ACL

What was missing?
• No visibility from the supplicant
Little to no User-Interaction
User saw an ―Authentication Failed‖ message, and that was all.
When everything works – the user is unaware.
But, when things stop working…
No visibility. Just a call to the help-desk
• Solution: 3rd Party Supplicants
Cisco‘s AnyConnect Supplicant
Provides a Diagnostic and Reporting Tool (DART)
Detailed logs from the Client Side
Unique hooks with RDP and VDI environments

#CiscoPlus

What was missing?
• No Visibility at the RADIUS Server

#CiscoPlus

What was missing?
• Solution: ACS VIEW  Identity Services Engine (ISE)

#CiscoPlus

What was missing?
• Solution: ACS VIEW & ISE

#CiscoPlus

What was missing?
• Solution: ACS VIEW  ISE

#CiscoPlus

What was missing?
• Non-Authenticating Devices
These are devices that were forgotten
They don‘t have software to talk EAP on the network
Or, they weren‘t configured for it
Printers, IP Phones, Camera‘s, Badge Readers
How to work with these?
Don‘t configure Dot1x on the SwitchPort
But, what about when it moves

• Solution? Do not use dot1x on ports with Printers
----------------------------------------------------------------------
• Solution: MAC Authentication Bypass (MAB)

#CiscoPlus

MAC Authentication Bypass (MAB)
• What is it?
• A list of MAC Addresses that are allowed to ―skip‖
authentication
• Is this a replacement for Dot1X?
No Way!
• This is a ―Bandage‖
In a Utopia: All devices authenticate.
• List may be Local or Centralized
Can you think of any benefits to a centralized model?

#CiscoPlus

What was missing?
• Guests:
Guests will not have configured supplicants.
Plus: they won‘t be authorized for access.
Original Solution:
Dot1x Timeouts
How this works:
After a timeout period, the switchport is automatically put into a Guest VLAN
which provides Internet access.

No Supplicant has
responded for 90
seconds… So just
AuthZ the port for the
GUEST VLAN

#CiscoPlus

What was missing?
• Missing or Misconfigured Supplicants:
Group Policies may not have worked
Software Distribution may have missed a machine that‘s been off-
network for a period of time.
Etc…
Dot1x Timeouts would take effect
Someone who should have been an authorized user would end-up in the Guest
Network
HelpDesk gets a call from an unhappy user.

No Supplicant has
responded for 90
seconds… So just
AuthZ the port for the
GUEST VLAN

#CiscoPlus

Enter: Web Authentication

• Used to identify users without supplicants
Mis-configured, missing altogether, etc.
• Guest Authentication

#CiscoPlus

Business Case Continues to Evolve

• Requirements:
1. Retailer-X must ensure that only Retailer-X employees are
gaining access to the network.
2. Authorized Non-Authenticating Devices must continue to have
network access.
Solution: Centralized MAB
3. Need to Automate the building of the MAB List
Solution: <Let’s find out>

#CiscoPlus

Profiling

#CiscoPlus

Profiling Technology
• The ability to classify devices
• Why Classify?
Originally: identify the devices that cannot authenticate and
automagically build the MAB list.
i.e.: Printer = Bypass Authentication
Today: Now we also use the profiling data as part of an
authorization policy.
i.e.: Authorized User + i-device = Internet Only

#CiscoPlus

Profiling
PCs Non-PCs
UPS Phone Printer AP
• Visibility

 Additional benefits of Profiling
- Visibility: A view of what is truly on your network
Tracking of where a device has been, what IP Addresses it has had, and
other historical data.
An understanding of WHY the device was profiled as a particular type (what
profile signatures were matched)

#CiscoPlus

Visibility into what is on the network

#CiscoPlus

• How do we Classify a Device?
• Profiling uses Signatures (similar to IPS)

#CiscoPlus

Profiling
• Determining required profile attributes

#CiscoPlus

Profiling
• Best Practice Recommendations
• HTTP Probe: Use URL Redirects over SPAN to
centralize collection and reduce traffic load on net and
ISE related to SPAN/RSPAN.
Or use VACLs or other ways to filter HTTP only traffic
 DHCP Probe:
Use IP Helpers when possible—be aware that L3 device serving
DHCP will not relay DHCP, also!
For DHCP SPAN, make sure probe captures traffic to central DHCP
Server.
 SNMP Probe:
ISE 1.1 added SNMP probe to pull ARP tables from Cisco Layer-3
Devices. Adds benefit when DHCP is not used.

#CiscoPlus

• Limitations of Profiling
• Best Guess: The profiling is based on Best-Effort
• MAB is a Filter: It was only used to determine what MAC
Addresses were allowed to ―skip‖ Authentication
Now we also use the profiling data as part of an authorization
policy.
i.e.: Authorized User + i-device = Internet Only

#CiscoPlus


• Requirements:
1. Retailer-X must ensure that only Retailer-X employees are gaining
access to the network.
2. Authorized Non-Authenticating Devices must continue to have
network access.
Solution: Centralized MAB
3. Need to Automate the building of the MAB List
Solution: Use Profiling technology to automate the building MAB list.

#CiscoPlus

Business Case Evolution
Improving Guest Access

#CiscoPlus

Guest Users‘ Needs

WLC

Wireless

APs

Internet
LAN

#CiscoPlus

How does it work? Access authorized
for guest user
Redirection of the
guest web session to
ISE guest portal for
authentication ISE
Policy Server

WLC

Guest account needs to be
created:
Open SSID • via a sponsor
« guest » • or self service
With Web
authentication

Guest user

#CiscoPlus

Components of a Full Guest Lifecycle
Solution
Provisioning: Guest accounts via
sponsor portal
Notify: Guests of account
details by print, email, or SMS

Manage: Sponsor privileges,
guest accounts and policies,
guest portal

Authenticate/Authorize guest via
a guest portal on ISE
Guests

Report: On all aspects of guest
accounts

#CiscoPlus

Guest Users DB – Account Creation
Methods
• Two Ways to Populate ISE Internal Guest Database

• Self-Service
Option on ISE ‗Guest Portal‘

• Sponsoring
via ISE ‗Sponsor Portal‘

#CiscoPlus

For Your
ISE – Guest Self-Service Reference

#CiscoPlus

ISE – Sponsor Portal
 Customizable sponsor
pages
 Sponsor privileges
tied to authentication/
authorization policy
• Roles sponsor can
create
• Time profiles can be
assigned
• Management of other
guest accounts
• Single or bulk account
creation
 Sponsor and Guest
reporting and audit

#CiscoPlus

Sponsor Portal: Informing Guests
• Sponsor will have three ways to inform guest
1. Printing the details
2. Sending the details via e-mail
3. Sending the details via SMS

#CiscoPlus

Guest user roles
• When need for different policies for users

Guest Contractor

• Internet access only • Internet access
• Limited connection time: • Access to selected resources
½ day, one day • Longer connection time:
one week, one month

 Use of several user identity groups in ISE:

#CiscoPlus

Sponsor groups and privileges

Sponsor group1 Sponsor group2

• Can create user in groups: • Can create user in group
‗contractor‘ and ‗guest‘ ‗guest‘ only
• Can use time profiles up to • Can use time profiles up to one
one week day
• Can see all accounts in group • Cannot do bulk creation

#CiscoPlus

Components of a Full Guest Lifecycle
Solution
Provisioning: Guest accounts via
sponsor portal
Notify: Guests of account details
by print, email, or SMS

Manage: Sponsor privileges,
guest accounts and policies,
guest portal

Authenticate/Authorize guest via
a guest portal on ISE
Guests

Report: On all aspects of guest
accounts

#CiscoPlus

ISE – Web Authentication

#CiscoPlus

Full Audit of Guest Lifecycle

#CiscoPlus

Business Case Evolution
We have Identity… We have Guests Lifecycle Management…

Can we get more information?

#CiscoPlus


• Requirements:
4. Employee‘s of Retailer-X Must be using a Corporate-owned
asset.
5. All Corporate assets must be running Trend Micro Anti-Virus,
and it must be up-to-date.
6. All guests must run Antivirus (any).
Solution: Let’s find out 

#CiscoPlus

Posture Assessment Posture
• Does the device meet Security Requirements?
• Posture = the state-of-compliance with the company‘s
security policy.
Is the system running the current Windows Patches?
Anti-Virus Installed? Is it Up-to-Date?
Anti-Spyware Installed? Is it Up-to-Date?
• Now we can extend the user / system Identity to include
their Posture Status.

#CiscoPlus

ISE – Posture Assessment Checks
Files
• Microsoft Updates
Service Packs
Hotfixes
OS/Browser versions

• Antivirus
Installation/Signatures
• Antispyware
Installation/Signatures

• File data
• Services
• Applications/
Processes
• Registry keys

#CiscoPlus

Posture Assessment
• What if a user fail the check?
• New term: Remediation
The act of correcting any missing or out-of-date items from the
Posture Assessment.
This can trigger the use of:
Corporate Patching Systems (ex: BigFix, Altiris, etc.)
Windows Software Update Service (WSUS)
Windows Update
Anti-Virus product Update Services (LiveUpdate.exe, etc.)

#CiscoPlus

Posture Assessment Flow Posture

Uname / Pwd = OK
Posture = Unknown
Authorization = Temporary

Corp
VLAN

#CiscoPlus

Posture Assessment Flow Posture

Uname / Pwd = OK
Posture = Unknown
Authorization = Temporary

Corp
VLAN

Permit ip any host Remediation
Permit ip any host PolicyServer
Deny ip any any

#CiscoPlus

Posture Assessment Flow
Posture
Uname / Pwd = OK
Posture = Compliant
Authorization = Full Access

Corp
VLAN

Permit ip any host Remediation
any
Permit ip any host PolicyServer
Deny ip any any

#CiscoPlus

Making this work well
• Change of Authorization (CoA)
• CoA allows an enforcement device (switchport, wireless
controller, VPN device) to change the
VLAN/ACL/Redirection for a device/user without having
to start the entire process all over again.
• Without it: Remove the user from the network & then
have the entire AAA process begin again.
i.e.: disassociate wireless device & have to join wireless again.
• RFC 3576 and 5176

#CiscoPlus

Creating a System out of these
Technologies

#CiscoPlus

Network Access Controls
Multiple Options for Wired Access
• Identity Based Network • Cisco NAC Appliance:
Services (IBNS): VLAN control via SNMP
Control Plane
802.1X for wired access
Profiling by NAC Profiler
Profiling by NAC Profiler
Guest = NGS
Guest = NGS
Wired Wired
IBNS NAC

802.1X
SNMP

ACS NAC

#CiscoPlus

Wireless and VPN Access
• Wireless Access • Remote Access VPN
802.1X controlled by WLC Policy controlled by ASA, or:
WLC has local enforcement Policy controlled by in-line NAC
Separate Policies on ACS Separate Policies on ACS
Wireless VPN

802.1X Policy
ACS

#CiscoPlus

• TrustSec Brings it all Together
TrustSec

802.1X

#CiscoPlus

What is the Identity Services Engine?

• ISE is a Next-Generation RADIUS Server

=

• Note: RADIUS for Network Access ONLY #CiscoPlus

Identity Services Engine
• Policy Server Designed for TrustSec

ACS • Centralized Policy
• AAA Services
NAC
Profiler • Posture Assessment
• Guest Access Services
NAC
Guest • Device Profiling
Identity
NAC Services • Monitoring
Manager Engine
• Troubleshooting
NAC
Server • Reporting

#CiscoPlus

A ―Systems‖ Approach

#CiscoPlus

A Systems Approach
• Why is this so important?
• When Identity is an overlay (like NAC Appliance)
There is an appliance or some other device that is doing the
enforcement.
Called a Policy Enforcement Point (PEP)
The trick is to ―shape‖ traffic towards those PEP‘s
Some use DHCP or DNS Tricks
Others use MAC Spoofing (Man-in-the-Middle)
Cisco uses the network to get traffic to the Appliance:
Virtual Networks (VRF‘s)
Policy Based Routing (PBR), etc.

#CiscoPlus

Overlay solution
Internet

ASA

Set to Auth VLAN
Trusted
Set to Access VLAN
NAC Server
Global Network

Untrusted

DIRTY VRF Guest VRF

Access Switch
(Cat 3750)

VLAN 100 (DIRTY_VLAN) VLAN 200 (EMPLOYEES) VLAN 210 (CONTRACTORS) VLAN 300 (GUESTS)

Corporate PC
Connects

#CiscoPlus

A Systems Approach
• Why is this so important?
• When Identity is embedded (like 802.1X)
The Switch, WLC, or VPN is the enforcement device
Called a Policy Enforcement Point (PEP)
The Switch does all the work, instead of an appliance
URL Redirection
Policy Enforcement with ACL‘s, SGT‘s, VLAN Assignment, etc…

#CiscoPlus

A Systems Approach
• Switch is the PEP

#CiscoPlus

Adding Power to Dot1X

#CiscoPlus

Secure Group Access
• Topology Independent Access Control
• Term describing use of:
Secure Group TAG (SGT‘s)
Secure Group ACL‘s (SGACL‘s)
When a user log‘s in they are assigned a TAG (SGT) that identifies
their role
The TAG is carried throughout the Network
• Server Switch applies SGACL‘s based on a ―Matrix‖ (see
below).
SGT Public Private

Staff Permit Permit

Guest Permit Deny

#CiscoPlus

Customer Challenges - Ingress Access
Control • Can I create / manage the new VLANs or IP Address scope?
• How do I deal with DHCP refresh in new subnet?
• How do I manage ACL on VLAN interface?
• Does protocol such as PXE or WOL work with VLAN assignment?
• Any impact to the route summarization?
VLAN
Assignment

802.1X/MAB/Web Auth

ACL • Who‘s going to maintain ACLs?
Download • What if my destination IP addresses are changed?
• Does my switch have enough TCAM to handle all request?

 Traditional access authorization methods leave some deployment concerns:
 Detailed design before deployment is required, otherwise…
 Not so flexible for changes required by today‘s business
 Access control project ends up with redesigning whole network #CiscoPlus

What is Secure Group Access?
• SGA is a part of TrustSec
• Next-Generation Access Control Enforcement
Removes concern TCAM Space for detailed Ingress ACLs
Removes concern of ACE explosion on DC Firewalls
• An Additional Enforcement allowing stickiness of
Infrastructure
Now adds stickiness of Cisco ASA Firewalls, too.
• Assign a TAG at Login  Enforce that tag in the
DataCenter.

#CiscoPlus

What is a Secure Group Tag?

A Role-Based TAG:
1. A user (or device) logs into network via 802.1X
2. ISE is configured to send a TAG in the Authorization
Result – based on the ―ROLE‖ of the user/device
3. The Switch Applies this TAG to the users traffic.

#CiscoPlus

Security Group Based Access Control

• SGA allows customers:
To keep existing logical design at access layer
To change / apply policy to meet today‘s business requirement
To distribute policy from central management server
Ingress Enforcement
SGT=100 Finance (SGT=4)

802.1X/MAB/Web Auth

SGACL HR (SGT=100)
I’m an employee HR SGT = 100
My group is HR Egress Enforcement

#CiscoPlus

Security Group Based Access Control

• Security Group Firewalling:
Extends the Concept to the ASA
Use Security-Group Tags (SGT‘s) in your ASA Firewall Policy!
Available in Arsenal (1HCY2012)
Ingress Enforcement Finance (SGT=4)
SGT=100

802.1X/MAB/Web Auth

I’m an employee HR SGT = 100
My group is HR Egress Enforcement
HR (SGT=100)
S-IP User S-SGT D-IP D-SGT DENY

#CiscoPlus

Media Access Control Security
• MACSec: Layer-2 Encryption (802.1AE)
• Industry Standard Extension to 802.1X
Encrypts the link between the host & the switch.
Traffic in the backplane is unencrypted for inspection, etc.
Requires a supplicant that supports MACSec and the encryption
key-exchange

Encrypted Link
SWITCHPORT

########

#CiscoPlus

Business Case Evolution: B.Y.O.D.

#CiscoPlus

• The ―i-Revolution‖
• New Requirement:
―Our CEO went to a Retail Conference recently and won an iPad.
He demands we allow it access to the network, because it is a
productivity tool and we prohibiting his productivity without the
iPad‖
• New Requirement:
Allow access to i-devices
• New Term: ―Bring Your Own Device‖ (BYOD)

#CiscoPlus

Identity Services Engine
• Policy Management for the Borderless Networks
• Context-Based Access
Who? What? How?
Known users Device identity Wired
(Employees, Sales, HR) Device classification Wireless
Unknown users (Guests) (profile) VPN
Device health (posture)
Where? When? Other?
Geographic location Date Custom attributes
Department Time Device/User states
SSID / Switchport Start/Stop Access Applications used

• Policy Definition
• Policy Enforcement
• Monitoring and Troubleshooting

#CiscoPlus

How do we Build a BYOD Policy?

• What are the Required Parts of the Policy?

Corp Asset? AuthC Type Profile AuthZ Result

• AD • Machine • i-Device • Full Access
Member? Certs? • Android • i-Net only
• Static List? • User Certs? • Windows • VDI + i-Net
• MDM? • Uname/Pwd • Other
• Certificate?

#CiscoPlus

Example BYOD Policy in ISE
• Using a Pre-Defined List of Assets

Device Type User Results

#CiscoPlus

Example BYOD Policy in ISE
• Using a Pre-Defined List of Assets

Device Type User Results

ANY User

Any i-device Not in Above
Identity Group

Assign Guest VLAN

#CiscoPlus

Links

• Trustsec & ISE on Cisco.com
http://www.cisco.com/go/trustsec
http://www.cisco.com/go/ise
http://www.cisco.com/go/isepartner
• TrustSec & ISE Deployment Guide:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/la
nding_DesignZone_TrustSec.html
• Youtube: Fundamentals of TrustSec:
http://www.youtube.com/ciscocin#p/c/0/MJJ93N-3Iew

#CiscoPlus

We value your feedback.
Please be sure to complete the Breakout
Sessions Evaluation Form.

Access today‘s presentations at cisco.com/ca/ciscoplus

Follow @CiscoCanada and join the #CiscoPlus conversation
#CiscoPlus

Here are the key points:- Monitor mode allows you to enable 802.1X authentication on interfaces without enforcing access control initially. - It allows devices to authenticate and gain network access even if authentication fails, so you can monitor authentication attempts and identify issues before enforcing.- This is important for planning remediation and troubleshooting authentication problems before moving to a more restricted enforcement mode.- It provides visibility into who and what is attempting to authenticate so you can determine readiness for a phased enforcement approach.- The goal is to identify and address authentication failures through troubleshooting and remediation in monitor mode before moving to authenticated-only or closed access modes.- This phased approach avoids

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Más de Cisco Canada

Más de Cisco Canada (20)

Último

Último (20)