Today I'd like to document a portion of my first experience working in Cisco ISE 3.0 to craft a Wireless Access Policy. This task was a little unfamiliar due to the new skin applied to ISE 3.0, although we have been re-assured by our Cisco team that under the hood it's much the same.
For my portion of this project I have to modify an existing 8021X Policy for Wireless Clients that will include additional clients. My most preferred way for onboarding clients to an 8021X environment is hands-down EAP-TLS if you can do it (I am looking forward to learning to using EAP-SIM for devices with SIM cards). This is due to the fact that you can take advantage of mutual authentication prior to the key exchange. Mutual Authentication is a way of proving identity for clients and servers.
I find certificate-based authentication much more preferable than EAP-PEAP (Where you use a username/password combination) to create an 8021X Secure Association. This is especially true when clients use a shared account or use their domain accounts on their personal wireless devices to connect. This causes a LOT of headaches in the real world, especially with account lockout. Nothing is worse than a situation where production is shut down because a password is misconfigured on a device and you have to track down the offending hardware!
You can find the Conditions Editor by navigating to following URL:
https://<ise_admin_node>/admin/#policy/policy_elements/policy_elements_conditions/authentication
or via the GUI
My task at hand is to update our existing Policy Set for 8021X Wireless access with a more specific Condition for a specific group of devices that cannot be managed in my Active Directory environment. These devices are to be onboarded via MDM and I will create a new Authorization Policy using my custom Condition so I can be certain to build something that applies only to the desired clients.
*It seems to be the general consensus that one should have a more broad Authentication Policy (Proving WHO you are) and a more specific Authorization Policy (Permission to connect to the network).
When coupled with my MDM solution, this new Authorization Policy is going to allow me to flexibly add machines to my secure network using EAP-TLS instead of accepting risk that comes with EAP-PEAP username and password authentication. Additionally, since I am using an MDM, I gain remote-wipe and other security capabilities to protect valuable IP as well.
*Chris Avants teaches a great class on ISE for Wireless, you can check it out here.
Komentarze