managing policies for byod network brkewn-2020 damodar banodkar technical marketing engineer

Managing Policies for BYOD Network

BRKEWN-2020

Damodar Banodkar

Technical Marketing Engineer

© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public

For Your Reference

• There are slides in your PDF that will not be presented, or quickly presented.

• They are there usually valuable, but included only “For your Reference”.

For YourReference

3

For YourReference


56% of US information workers spend time

working outside the office —Forrester

100%

of IT staff is struggling to keep

up with mobility trends —Gartner

—Cisco VNI4X

90% —Cisco VNI

Smartphone connection speeds will grow 4-fold from 2011 to 2016

Mobile video traffic will have annual growth rate of 90% 2011 to 2016

The Need for managing devices and applications

2

© 2014 Cisco and/or its affiliates. All rights reserved.BRKEWN-2020 Cisco Public 5

Agenda: Managing Policies for BYOD Network

Securely Board the Device

Application Experience

Simplified Services

Operations

Personal Devices on Network

Step 1 Step 2 3rd Party

MDMStep 3


Wireless BYOD

Drivers• Majority of new network devices have no wired port

• Users will change devices more frequently than in the past

• Mobile devices have become an extension of our Personality and Work

• Guest / Contractor access and accountability has become a mandatory business need

Assumptions• Guest and Contractors must be isolated and accounted for.

• Users will have 1 wired and 2+ wireless devices moving forward

• The wireless network must be secure and as predictable as the wired network

Drivers and Assumptions

6


ISE(Identity Services Engine)

Spectrum of BYOD StrategiesDifferent Deployment Requirements for Different Environments

Controller only BYOD Controller + ISE-Wireless BYOD

Cisco WLAN Controller

Wireless Only

Basic Profiling and Policy on WLC

Wireless Only

AAA+ Advanced Profiling + Device Posture + Client On-board + Guest + Mobile Device

Management (MDM)

Cisco Catalyst Switch

ASA Firewall

Controller + ISE-Advanced BYOD

Wired + Wireless + Remote Access

AAA + Advanced Profiling + Device Posture + Client On-board + Guest + MDM


Cisco BYOD Device Policy Steps

8

Phase 1 Authentication

Phase 2 Device / User Identification

EAP

Allowed Device?

Allowed Access

Phase 4 Device Policy Enforcement

• SilverQoS• Allow-AllACL• EmployeeVLAN• Block YoutubeAVC

WLC

Internet-Only

MAC, DHCP, DNS, HTTPISE

ISE

Phase 3 Posture assessment, MDM, Lost device containmentClient Supplicant

ISE

ANISH

Change this to make this more for STEP by STEP (Policy created instead of device enrollment)


IDENTITY PROFILING

VLAN 10VLAN 20

Wireless LAN Controller

DHCP

RADIUS

SNMP

NETFLOW

HTTP

DNS

ISE

Unified Access Management

Access Point

802.1x EAP User

Authentication

HQ

2:38pm

Profiling to identify device

Full or partial access granted

Personalasset

Company asset

Posture of the device

PolicyDecision

4

6

Corporate Resources

Internet Only

1

2

3

Contextual Policy for BYOD DeploymentsControl and Enforcement

5

EnforcementdACl, VLAN,

SGA, ApplicationWith the ISE, Cisco wireless can support multiple users and device types on a single SSID.

Integrating WLC and ISE for Authentication and Profiling


EAPoL Start

EAPoL Request IdentityBeginning

EAP-Response Identity: Alice RADIUS Access Request[AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]

RADIUS Access Request

[AVP: EAP-Response: PEAP]

Multiple Challenge-Request Exchanges Possible

Middle

EAP SuccessRADIUS Access-Accept

[AVP: EAP Success][AVP: VLAN 10, dACL-n]

End

Layer 2 Point-to-Point Layer 3 Link

Authenticator Auth ServerSupplicant EAP over LAN(EAPoL)

RADIUS

• 802.1X (EAPoL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms. • When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or PEAP, which defines

how the authentication takes place.

The EAP Type is negotiated

between Client and RADIUS Server

Extensible Authentication Protocol (EAP) — Protocol Flow

Authentication conversation between Client and Auth ServerSecure Tunnel


EAP Authentication Types Different Authentication Options Leveraging Different Credentials

12

Tunneling-BasedEAP-PEAP

EAP-TTLS

EAP-FAST

Inner Methods

EAP-GTC EAP-MSCHAPv2

Tunnel-based - Common deployments use a tunneling protocol (EAP-PEAP) combined with an inner EAP type such as EAP-MSCHAPv2. PEAP Requires only a server-side certificate.

This provides security for the inner EAP type which may be vulnerable by itself.

Certificate-based – For more security EAP-TLS provides mutual authentication of both the server and client.

Certificate-Based

EAP-TLS


Factors in Choosing an EAP MethodThe Most Common EAP Types are PEAP and EAP-TLS

13

EAP Type(s) Deployed

Client Support

Security vs. Complexity

Authentication Server

Support

Most clients such as Windows, Mac OS X, Apple iOS devices support EAP-TLS, PEAP (MS-CHAPv2).

‒ Additional supplicants can add more EAP types (Cisco AnyConnect).

Certain EAP types (TLS) can be more difficult to deploy than others depending on device type.

Cisco ISE Supplicant Provisioning can aid in the deployment.


The RADIUS Protocol

• RADIUS protocol is initiated by the network devices

• No way to change authorization from the ISE

• Now network devices listens to CoA request from ISE

It’s initiated by the client to the server, but not CoA…

RADIUS

CoA

• Re-authenticate session• Terminate session• Terminate session with port bounce• Disable host port

Auth ServerAuthenticator

Now I can control ports when I want to!


Layer 2 Point-to-Point Layer 3 Link

AuthenticatorSupplicantEAP over LAN

(EAPoL)RADIUS

RADIUS CoA-Request

[VSA: subscriber: reauthenticate]

RADIUS CoA-Ack

Change of Authorization

EAP-Response Identity: AliceRADIUS Access Request[AVP: EAP-Response: Alice]

EAP-Request: PEAP

EAP-Response: PEAP

RADIUS Access-Challenge

[AVP: EAP-Request PEAP]

RADIUS Access Request

[AVP: EAP-Response: PEAP]

EAPoL Request Identity

Re-Authentication Multiple Challenge-Request Exchanges Possible

IEEE 802.1X with Change of Authorization (CoA)

Auth Server


Change of Authorization (CoA)

Before – Posture Assessment and Profiling

After – Employee Policy Applied

•UnknownClient Status

•Limited AccessVLAN

•Posture-AssessmentACL

•SilverQoS

•Block YoutubeApplication

•Profiled, WorkstationClient Status

•EmployeeVLAN

•NoneACL

•GoldQoS

•Allow YoutubeApplication

User and DeviceSpecific Attributes

User and DeviceSpecific Attributes

ISE ISE

Changing Connection Policy Attributes Dynamically


Enable CoA – AAA Override

17

Allow AAA Override to

Permit ISE to Modify User

Access Permissions

(CoA)

1

For YourReference


Permit ISE to redirect client to a specific

URL

2


VLAN

Cisco Wireless Controller User-Based Policy AAA Override Attributes

Quality of Service (QoS)

Access Control List (ACL)

URL Redirect

CoA

Available in AireOS Version 8.0NEW

in 8.0

Application Control (AVC)

Bonjour Service PolicyNEW

in 8.0

NEW

in 8.0


FlexConnect and AAA Override

19

Setting the VLAN for Locally Switched Clients

WAN

VLAN 504

VLAN 100

ISE

IETF 81

IETF 64

IETF 65

Create Sub-Interface on FlexConnect AP and Set the

ACL on the VLAN

WLC

AP


URL Redirection

Example: TCP Traffic Flow for Login Page

TCP port 80 SYN

SYN-ACK

ACK

HTTP GET

Redirect: HTTP Login Page

Username, Password

HostWLC

User opens browser

http://www.google.com

HTTP GET http://www.google.com

Central Web Auth, Client Provisioning, Posture, MDM, Guest Services

ISE

External URL Redirect (ISE):

Redirect URL:. cisco:cisco-av-pair=url-redirect= https://url

Redirect ACL:. cisco:cisco-av-pair=url-redirect-acl= ACL-POSTURE


Cisco Wireless LAN Controller ACLsLayer 3-4 Filtering at Line-rate.

• ACLs provide L3-L4 policy and can be applied per interface or per user.

• Cisco 2500, 5508 and WiSM2 implement hardware, line-rate ACLs.

• Up to 64 rules can be configured per ACL.

Wired LAN

Implicit Deny All at the End

Inbound

Outbound

WLC

AP


Unified Access BYOD - Downloadable ACL Support

22

Download - http://www.miercom.com/2013/05/cisco-wlc-5760/

http://www.miercom.com/2013/05/cisco-wlc-5760/

http://www.miercom.com/2013/05/cisco-wlc-5760/


Cisco Wireless User-Based QoS Capabilities

23

Allowing Per-User and Per-Devices Limiting of the Maximum QoS Level

Voice

Video

Best Effort

Background

Call Manager AccessPoint

Employee – Platinum QoS

WMM Queue

QoS Tagged Packets

Contractor – Silver QoSWLC

For the Employee user, the AAA server returned

QoS-Platinum so packets marked with DSCP EF are allowed to enter the WMM

Voice Queue.

For the contractor user, the AAA server returned QoS-

Silver so even packets marked with DSCP EF are confined to the Best Effort

Queue.


Cisco Wireless Application ControlAVC provides Layer 7 policies per User (by Device Type and User Role)

Applications Priority

Real Time Applications(Business )

High

Non Real Time Applications(Business)

Normal

Casual Applications

Low

Malicious Applications

Drop

User Role Applications Device Priority

Exec

High

Employee

Normal

Contractor

Low

18Available in AireOS Version 8.0NEW

in 8.0

NEW

in 8.0


Cisco Wireless Bonjour Services Control

User Role Bonjour Service Access

Exec

Employee

ContractorFor the contractor user, Airplay access is denied

For the Employee and Exec user, Airplay and

AirPrint access is permitted

Bonjour Gateway provides Services policies per User


VLAN

Cisco BYOD Policy Elements



URL Redirect

CoA


in 8.0


Bonjour Service PolicyNEW

in 8.0

NEW

in 8.0


Cisco BYOD Device Policy Steps

27

Phase 1 AuthenticationEAP

Allowed Device?

Allowed Access

Phase 4 Device Policy Enforcement

• SilverQoS• Allow-AllACL• EmployeeVLAN• Block YoutubeAVC

WLC

Internet-Only

ISE

Phase 2 Device / User IdentificationMAC, DHCP, DNS, HTTPISE

Phase 3 Posture assessment, MDM, Lost device containmentClient Supplicant

ISE

BYOD Policy Elements

BYOD with ISE (Identity Services)


ISE Device Profiling Example - iPad

29

• Once the device is profiled, it is stored within the ISE for future associations:

Is the MAC Address from Apple?

Does the Hostname Contain “iPad”?

Is the Web Browser Safari on an iPad?

Apple iPad


Client Attributes Used for ISE Profiling

30

How RADIUS, HTTP, DNS and DHCP (and Others) Are Used to Identify Clients.

• The ISE uses multiple attributes to build a complete picture of the end client’s device profile.

• Information is collected from sensors which capture different attributes– The ISE can even kick off an NMAP

scan of the host IP to determine more details.

RADIUS

DHCP

DNS Server

DNS

A look up of the DNS entry for the client’s IP

address reveals the Hostname.

HTTP UserAgent

The device is redirected using a captive portal to the ISE for web

browser identification.

ISE

3

4

DHCP/ HTTP Sensor

The Client’s DHCP/HTTP Attributes are captured by

the AP and provided in RADIUS Accounting

messages.

2

This provides the MAC Address

which is checked against the

known vendor OUI database.

1

HTTP


ISE Device Profiling CapabilitiesOver 200 Built-in Device Policies, Defined Hierarchically by Vendor

31

Smart Phones

Gaming Consoles

Workstations

MultipleRules to Establish Confidence Level

Minimum Confidence for a

Match

1

2

Defining a BYOD Policy Within ISE

32


ISE Authentication Sources

33

• Cisco ISE can reference variety of backend identity stores including Active Directory, PKI, LDAP and RSA SecureID.

• The local database can also be used on the ISE itself for small deployments.

EAPoL

User/Passwo

rd

user1C#2!ç@_E(

Certificate

RADIUS

Token

Active Directory,Generic LDAP or PKI

RSA SecureID

Local DB

Backend Database(s)

User and/or MachineAuthentication


Steps for Configuring ISE Policies

34

1. Authentication Rules

• Define what identity stores to reference.• Example – Active Directory, CA Server or Internal DB.

2. Authorization Rules• Define what users and devices get access to resources.

• Example – All Employees, with Windows Laptops have full access.

BYOD Policy Elements


Authentication Rules

35

Example for PEAP and EAP-TLS

1

Create Another Profile to Reference the Certificate Store

2

Reference Active Directory for PEAP Authentication

1


Authorization Rules Configuration

36

Flexible Conditions Connecting Both User and Device

Policy Authorization - SimpleSpecific Device Type Groups (such as

Workstations or iPods) Can Be Utilized

1Active Directory Groups Can Be

Referenced

2

The Authorization Rule Results in Attributes to Enforce Policy on End Devices

3


Authorization Rule “Results”The Actual Permissions Referenced by the Authorization Rules

The authorization rules provide a set of conditions to select an authorization profile.

The profile contains all of the connection attributes including VLAN, ACL and QoS.

These attributes are sent to the controller for enforcement, and they can be changed at a later time using CoA (Change of Authorization).

Simple VLAN Override by Specifying the Tag

1

All WLC Attributes are Exposed to Override

2


Authorization Rule “Results”The Application and Bonjour profile referenced in Authorization profile


in 8.0

NEW

in 8.0

NEW

in 8.0

WLC Attributes for AVC and Bonjour policy override

URL Redirect

VLAN




Bonjour Service Policy

NEW in

8.0

BYOD Device Provisioning

39


Putting the End User in Control

Simplified On-Boarding for BYOD

DeviceOnboarding

Cert Provisioning

SupplicantProvisioning

Self-Service Model

iOSAndroid

WindowsMAC OS

MyDevicesPortal


CA-Server

Apple iOS Device Provisioning

41

Initial Connection Using PEAP

ISEWLC

1

Device Provisioning Wizard

2

Future Connections Using EAP-TLS

3

Change of Authorization

CA-ServerISEWLC


Defining the Supplicant Provisioning Authorization Profile

42

Configure Redirect ACL On WLC1

Choose “Supplicant Provisioning” for the Redirect Portal

2

URL Redirect


“My Devices” PortalSelf-Registration and Self-Blacklisting of BYOD Devices

45

Devices can be marked lost by the User.

Lost devices can be blackholed using url-redirect

3

2

New Devices Can be Added with a Description

1

Demo Video: www.youtube.com/watch?v=lgJCJNgFjEM


Wired, Wireless, VPN User

Non-Compliant

Temporary Limited Network Access Until Remediation Is

Complete

Sample Employee Policy:

• Microsoft patches updated

• McAfee AV installed, running, and current

• Corp asset checks

• Enterprise application running

Challenge:

• Understanding health of device

• Varying level of control over devices

• Cost of Remediation

Value:

• Temporal (web-based) or Persistence Agent

• Automatic Remediation

• Differentiated policy enforcement-based on role

Ensuring Endpoint ComplianceEndpoint Health assessment


MDM Integration

49

Jail BrokenPIN Locked

EncryptionISE Registered PIN LockedMDM Registered Jail Broken

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)


Visibility with Prime Infrastructure and ISE Integration

50

Device Identity from ISE Integration

Policy Information Including Windows

AD Domain

AAA Override Parameters Applied

to Client

Both Wired + Wireless Clients in a

Single List

2

3

1

Local Profiling on WLC


ISE(Identity Services Engine)

Build BYOD Policy: Flexible OptionsDifferent Deployment Requirements for Different Environments

Controller + ISE-Wireless BYOD

ACS

NACProfiler

Guest Server

NAC Manager

NAC Server

• Centralized Policy

• RADIUS Server

• Posture Assessment

• Guest Access Services

• Device Profiling

• Client Provisioning

• MDM

• MonitoringTroubleshootingReporting


Build BYOD Policy: Flexible OptionsLocal Profiling & Policy on WLC

Time of DayAuthenticationDevice TypeUser Role

POLICY

WLC Radius Server (e.g.. ISE Base, ACS)

Network Components

Elements

Policy EnforcedVLAN Access List QoS Services (Bonjour)

Only Wireless

Application


IDENTITY

VLAN 10

VLAN 20

Wireless LAN Controller

Radius Server

Unified Access Management

Access Point

Profiling to identify device

Personal

Corporate

User-Role

PolicyDecision Corporate

Resources

Internet Only

1

2

WLC Native Profiling for BYOD Deployments

5

EnforcementACl, VLAN, QoS,

Application, Bonjour

POLICY

6

4

Time

3

Auth-Type


Configuring User-Role

55

User Role

Privilege

Controller

Radius

Employee Contractor

role=Employee role=Contractor


Native Device Profiling on WLC

56

Device Type

Cisco WLC configuration

Enable DHCP and HTTP Profiling on the WLC

156 Pre-Defined Device Signature

Create Device Profiling Policy

Step 1

Step 2

Step 3


Native Profiling Authentication and Time Policy

57

Time of Day

AuthenticationLEAP

EAP-FAST

EAP-TLS

PEAP

Wireless Client Authentication EAP Type

Active hours for Policy

Time based policy


Enforce Policy on the WLC

58

ACL*

VLAN

QoS*

Session Timeout

Application Control

mDNS Policy

Enforced Policy

* Supported in FlexConnect mode


Applying Native profiling policy per WLAN / AP Group

59

Restriction: First Matched Rule Applies

Maximum 16 polices can be created per WLAN / AP Groups and 64 globally

Native Profiling per WLAN Native Profiling per AP Group


Required Network Components and Versions

60

Cisco Wireless LAN

Feature/Platform 5508 / WiSM2 7500 2500 8500 Unified Access (5760/3850) 440x/WiSM1 210x

OS Version

CoA Support

Access Point Mode for Profiling and Posture

Limited Profiling and Policy on WLC

Extra License

AireOS 7.2.x onwards AireOS 7.3.x onwards IOS XE 3.2.2 onwards AireOS 7.0.116 onwards

802.1x and L3 Web-auth WLAN 802.1x WLAN only

Local and FlexConnect mode Local Mode only

AireOS 7.5 onwards* N/A

None

Identity Services Engine Version Licenses for Onboarding, Profiling, Posture and MDM

Version 1.1.1 onwards Advanced / Wireless License

Identity Services Engine *FlexConnect mode: No WLC BYOD support for Local Auth on AP

For YourReference


Beyond BYODThe Optimized Experience for Every Workspace

BYOD Beyond BYOD

Device Onboarding and Network Access

Unified BYOD Policy


Simplified Operations

Application Visibility and Control (AVC)


What is the Need for AVC?Who are the top 10 users?

What are the top 10

applications?

How much traffic is BYOD generating on my

network?

Is someone running Bit-torrent and bringing

down my business applications?

Should I add more APs to enhance the

capacity?

Devices Apps

VisibilityControl

Plan

ANISH

Data for ios7 upgrade

http://images.google.fr/imgres?imgurl=http://www.clikphoto.com/2003/Customers/images/Siebel.Logo.JPG&imgrefurl=http://www.clikphoto.com/2003/Customers/links.html&usg=__dY-YhzjlqXwgaBUa3GI7LkIC8nE=&h=137&w=363&sz=4&hl=fr&start=1&sig2=jRZ_dNmSZXrDAJLEkmINsA&um=1&tbnid=q54bb4J2TD1_uM:&tbnh=46&tbnw=121&prev=/images?q=siebel+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=CeHBSv6xGdi7jAfDrYHfBQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://images.google.fr/imgres?imgurl=http://4.bp.blogspot.com/_UZImdYAiry8/Sb9qYmN0llI/AAAAAAAAPtc/a_qXEx69CB0/s400/oracle_logo.jpg&imgrefurl=http://vectorlogo.blogspot.com/2009/03/oracle-logo-eps.html&usg=__TTg6bQ4L8aDCa2kKWUD3Q4YWewM=&h=161&w=400&sz=7&hl=fr&start=3&sig2=xj4d94noyf1kS0Adw6tzJA&um=1&tbnid=LLEUA6II6jNxiM:&tbnh=50&tbnw=124&prev=/images?q=oracle+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=FeHBSvDVKsjKjAeGsfDoBQ


What is Application Visibility & Control ?On Wireless Controllers

Real Time

Interactive

Non-Real Time

Background

NBAR2 LIBRARYDeep Packet

inspection

NETFLOW (STATIC TEMPLATE)

provides Flow Export

POLICYPacket Mark and Drop

Traffic

CISCO PRIME

TROUBLESHOOTINGCAPACITY PLANNINGCOMPLIANCE

THIRD PARTY NETFLOW

COLLECTOR

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ







How Does AVC Classify Applications: Cisco Jabber

Three classifications flows for Cisco Jabber

Deep Packet Inspection

Cisco Jabber VideoCisco Jabber Audio Cisco Jabber Control

Different Policies for different components of a Jabber

Session

Demo Video: www.youtube.com/watch?v=1kt2hvo4UL4


Enabling Application Visibility and ControlAVC is enabled per WLAN to Allow Deep Packet Inspection

67

Change the QoS level to reflect the highest

application level for that SSID

1

Enable Application Visibility

2

Ensure WMM is set to “Allowed” or “Required”

3


Basic Application Visibility Added on the Controller Home Screen

Top Applications Show Sorted by

Bytes

Use “Monitor” -> “Applications” to View

More Statistics


Viewing Real-Time StatisticsUse for Assessing Current Usage or Troubleshooting

Application Usage Displayed by % of Total Bytes for Last 90 Seconds

Average Packet Size to See Small vs. Large Packet Flows

Real Time Stats (Last 90 Seconds)

DSCP marking per client (Last 90 Seconds)

Real-Time QoS Markings


Viewing Historical StatisticsUse for Assessing Overall Usage

Cumulative Statistics Application Usage Displayed by % of Total Bytes

Total Bytes Transferred – Useful for Tracking Down Bandwidth Hogs


Application Control

71

Med

Control application usage and

performance

Control

Low

Control

High

Medium

Low

AVC Profile – Rate Limit Facebook

AVC Profile – Drop Bit torrentAVC Profile – Mark Citrix1

2

3


AVC configuration for AAA overrideExample – Teacher, Student


Applying AVC ProfilesCreate AVC Profile for Applications at Wireless > AVC

Apply AVC Profile to WLAN

Maximum 32 Rules can be created per AVC Profile

For YourReference

Apply AVC Profile per client using AAA Override

(Radius Server)

Apply AVC Profile per client using Local profiling

on WLC

1

2 3

NEW

in 8.0 NEW

in 8.0


NBAR2 – Regular UpdatesIn-service Application Definition Update

• Standard Protocol Pack– Includes only subset of protocols– No Support for Traffic categorization and Attributes – Available (as Default Protocol pack) in IP Base image – No periodic releases and SLA

• Advanced Protocol Pack– Includes all supported Protocols / Applications – Support Traffic categorization and Attributes – Available (as Default protocol pack) in DATA image– Periodic releases and Offers SLA

Protocol Pack

Pro

toco

l1

Pro

toco

l2

Pro

toco

ln

NBAR2

PP X (Major)

•protocols~ 10• updates and fixes

PP X.1 (Minor)

•Bug fixes•small updates

PP Y (Major)

• Protocols~10• updates and fixes

PPY.1 (Minor)

•Bug fixes•small updates

PP 6.3Available


NBAR2 Protocol PackExample

• Add new applications recognized by NBAR2 without WLC reload• New protocol pack is published every two months on CCO• Single CLI to enable the protocol pack


Application Visibility at Cisco Prime

Application Filter / Visibility per:

• SSID

• Client

• Building

• Floor

• Device (AP/Controller)

Application Based Reporting

Wired/Wired with Third party

NetflowPlan


Application Visibility with 3rd Party Vendors

• Using Netflow exports, third party tools like Plixer Scrutinizer can visualize the data and track it historically.

• Custom reports in this 3rd party tool allow viewing of upstream, downstream flows as well as client DSCP markings.

78


Cisco Wireless Netflow Record

79

NetFlow

Client MAC

Access Point MAC

Before AVC DSCPAfter AVC DSCP

SSID

Application Tag

Client IP

Packet Count

Octet Count

NetFlow v9 Monitors data from layer 2 thru 7

Determines applications by combination of port and payload

Flow information contains Client, wireless infrastructure, Application, QoS marking and bandwidth detail

What applications, how much bandwidth, flow direction?(NetFlow and NBAR2)

Visibility


Netflow Collection and Export Configuration

80

WLC collects application bandwidth, export to management

tool for reporting

NFv9

WLC

Netflow Collection & Exporting

Reporting Tools

Plan

For YourReference

Create Netflow Monitor and Exporter at Wireless > Netflow

Apply Netflow monitor per WLAN


Application Visibility and Control Verification

Application Control Tested

• Citrix video streaming quality improves by 55%

• Microsoft Lync Voice MOS Score Rises to 4.20.

• Background traffic using Windows File sharing drops by 74%

81

Download - http://dcc.syr.edu/PDF/Cisco-AVC-Application-Improvement-Report-Feb-2013.pdf

http://dcc.syr.edu/PDF/Cisco-AVC-Application-Improvement-Report-Feb-2013.pdf



Bonjour Services Gateway


Bonjour Protocol

83

Services

Clients

Bonjour Protocol helps Apple devices discover Services

Uses mDNS protocol to advertise and discover services

Link Local: Does not cross subnets

VLAN 20

VLAN 10


Bonjour Challenges across VLAN’s

84

CAPWAP Tunnel

Apple TV(VLAN Y)

224.0.0.251

Bonjour is Link-Local Multicast and can’t be Routed

224.0.0.251

VLAN X

VLAN X

VLAN Y

• Bonjour is link local multicast and thus forwarded on Local L2 domain

• mDNS operates at UDP port 5353 and sent to the reserved group addresses:

IPv4 Group Address – 224.0.0.251

IPv6 Group Address – FF02::FB

WLCAP Router


Apple TV Bluetooth Discovery process

Enable Wi-Fi and make sure its routable to

Apple TV subnet

iDevices discovers

Apple TVs in Bluetooth

range (40 feet)

iDevices can start mirroring

Bluetooth is used only to discover Bonjour AirPlay services

Does not apply for AirPrint, Backup, AirDrop etc.


Apple TV Bluetooth Discovery Implications on Wi-Fi

Wi-Fi Interference Bonjour Policy Control

Apple TVs add new set of Bluetooth interfering devices on network

Congested 2.4 GHz spectrum makes Bluetooth discovery slow and unreliable Student can discover Apple TV and

gain AirPlay Access

Student

Teacher

No Bluetooth discovery for Mac OSX Password mechanism lacks Role based policy control


Bonjour mDNS Gateway on Cisco WLC

87

Step 1 – Listen for Bonjour Services

CAPWAP TunnelApple TV

VLAN 23

Bonjour Advertisement

VLAN 20

VLAN 99

iPad

AirPlay Offered

AirP

rint

Offe

red

Bonjour Advertisement

AirPrinter(wired)

WLCAP

Switch



88

Step 2 –Bonjour Services cached on the controller


VLAN 23

VLAN 20

VLAN 99

iPad

AirPlay Offered

AirP

rint

Offe

red

Bonjour Cache:AirPlay – VLAN 20AirPrint – VLAN 23

AirPrinter(wired)

WLCAP

Switch



89

Step 3 –Listen for Client Service Queries for Services


VLAN 23

VLAN 20

VLAN 99

iPad


Is AirPlay Offered?

Bonjour Query

AirPrinter(wired)

WLCAP

Switch



90

Step 4 –Respond to Client Queries (unicast) for Bonjour Services


VLAN 23

VLAN 20

VLAN 99

iPad


AirPlay is available on VLAN20

Bonjour Response From Controller

AirPrinter(wired)

WLCAP

Switch


Bonjour traffic optimization

91

80% less Bonjour Traffic*100% less Bonjour Multicast Traffic* For 4 Access Point Deployment

Bonjour Cache:AirPrint – VLAN 23Airplay – VLAN 20

Bonjour Service query is cached on Controller

Not forwarded

Bonjour Client Query

Unicast Response

Not forwarded

Reason for Traffic optimization

6400 Entries per Controller

WLC


Filter Services by WLAN and VLAN

92

Contractor Network

Services Directory

Employee Network

FileShare

ContractorService Policy

Employee Service Policy

FileShare

Single - SSID

WLC

AP


AirPlay

Bonjour Policy Example for Education using v8.0

Teacher Network

mDNS Service Instances GroupsStudentNetwork

AirPrint AirPlay FileShare

Teacher Service Profile

AirPlay FileShare

StudentService Profile

iTunesSharing

Apple TV1 Apple TV1

Apple TV2

AirPrint

Teacher Service Instance List

Student Service Instance List

NEW

in 8.0


• Location and Role filtering in release v8.0

• Bonjour Policies allow creation of the mDNS Service Groups and Service Instances within the Group

• Service Instance mandates how the service instance is shared by configuring o MAC address of the Service Instance

o Name of the Service Instance

o Location Type Of the Services Instance by AP Group, AP Name or AP Location

o Location configuration allows access the “service instance” i.e. client location

Location configuration applied to wired and wireless instances of all services and printers as in Any, Same or one AP Name.

This allows selective sharing of service instances based on the location and

rule (=user-id and role ) on the Same WLAN

Bonjour Policy enhancements in v8.0

96


Configure Service Instances in the mDNS group, and role

Bonjour Policy Configuration


• Service Instance associated with mac address can be configured in multiple service groups Currently we support a maximum of 5 service groups for a single mac address. Service group configurations can be done even when mDNS snooping is disabled Number of Service instances per Service group is limited by the platform supported (ie

6400 on 5508)

• Location Filtering of Service instance can be limited by following attributes:


“any” –clients from any location can access the service subject to role and user-id credentials being allowed by the policy associated with the service group for the said mac address.

“same” - only clients from the SAME location as that of the device can access that Service Instance publishing the service can access the service.

“ap-name” – only clients associated to that AP can access the Service Instance

98



• Allows articulation as “service instance” is shared with whom i.e. user-id, “service instance is shared with which role/s” i.e. teacher or student

• With Bonjour access policy there will now be two levels of filtering client queries1. At the service type level by using the mDNS profile mDNS profile can be user specific and be overridden with ISE “av-pair “returned

to WLC that overrides default profile

2. At the Service Instance level using the access policy associated with each Service Instance.

Note: Service instances which are not configured with any access policy will be mapped to the default access policy that allows configured <roles/names> to receive the service instances


Location Specific Service for Bonjour

100

CAPWAP Tunnel

With LSS Bonjour services can be location specific

Apple Services

mDNS AP

CAPWAP Tunnel

Localization can be any service specific

Bonjour Services Directory


Enable Bonjour for Remote VLAN: mDNS AP

101

CAPWAP Tunnel

Apple TV (Remote VLAN)

With mDNS-AP Bonjour services can be seen from a remote VLAN

224.0.0.251

VLAN X

mDNS AP(Trunk mode)

CAPWAP Tunnel

VLAN Y

WLCAP Switch

Remote-Switch

224.0.0.251

VLAN X

Bonjour Services Directory


Google ChromeCast With Cisco Wireless LAN Controllers

• ChromeCast Deployment Guide:– http://

www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html

239.255.255.250

Unicast Response

1. (Services Discovery Request)

2. (Response with IP address of service)

How Does Google ChomeCast Work?

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html





AVC and Bonjour Gateway Network Requirements

103

Cisco Wireless LAN

Feature/Platform 5508 / WiSM2 7500 8500 2500

AVC

Access Point Mode for AVC

AVC Protocol Pack Update

Bonjour Gateway

Bonjour Location Specific Service

mDNS AP feature

Access Point mode for Bonjour Gateway

Extra License

AireOS 7.4 onwards

Local Mode Only

AireOS 7.5 onwards

AireOS 7.4 onwards

For YourReference

AireOS 7.5 onwards

AireOS 7.5 onwards

Local Mode Only

None

Feature/Platform Cisco Prime

Performance Collection Flexible Netflow

License Prime Assurance

Network Management

NBAR2 Limitations on WLC: • When an AP is in flex connect mode,

NBAR is not supported• IPv6 traffic cannot be classified• Not supported by the vWLC or WLC on

SRE

N/A


Summary: Managing Policies for BYOD Network

104

Securely Board the Device


Simplified BonjourOperations

Personal Devices on Network

Wireless WiredRemote Access

ISE PrimeNetwork Components 3rd Party

MDM

3rd Party MDM

Optional


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include – Your favorite speaker’s Twitter handle <Speaker – enter your twitter handle here>– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and youcould win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile appor visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

106

https://www.ciscolive.com/online


Continue Your Education

• Demos

• Labs

• Lunch

• Topics

• Final copy TBD

107

Configurations for Your Reference

108


Steps for Integrating the Controller and ISE

109

1. Configure WLAN for 802.1x Authentication• Configure RADIUS Server on Controller• Setup WLAN for AAA Override, Profiling and RADIUS NAC

2. Configure ISE Profiling• Enable profiling sensors

3. Setup Access Restrictions• Configure ACLs to filter and control network access.

For YourReference


Configuring ISE as the Authentication Server and Accounting Server

Enable “RFC 3576” for Support Change of

Authorization

Add to Accounting Servers to Receive Session

Statistics

1

2

For YourReference


Configuring the WLAN for Secure ConnectivityEnabling Secure Authentication and Encryption with WPA2-Enterprise

WPA2 Security with AES Encryption

1

For YourReference

Assign Radius Server per WLAN

2


Setting the WLAN QoS Level for Override

112

Using WMM, the QoS Level is Based on the Marking of the Packet.

• If WMM is set to Allowed, the Quality of Service configuration serves as a limit for the entire SSID.

• Ensure all controller uplinks, media servers and Access Points have proper Quality of Service trust commands in IOS.

This Acts As An Upper Limit, or Ceiling for the WLAN’s QoS Configuration

1

For YourReference


Configuring the WLAN for ISE Identity-based Networking Cont’d

113


Permit ISE to Modify User

Access Permissions

Enable RADIUS NAC to allow

ISE to use Change of

Authorization.

Enable Radius Client Profiling to Send DHCP

and HTTP attributes to

ISE.

1 2

3

For YourReference


Configuring the Controller ACL

Use the ISE server’s IP address to allow only traffic to that site.

2

This ACL will be referenced by name by the ISE to restrict the user.

1

For YourReference


Configuring ISE Profiling Sensors

115

• Profiling relies on a multitude of “sensors” to assess the client’s device type.

• Profiling can always be achieved through a span port, more efficient profiling is achieved through sensors which selectively forward attributes.

• For DHCP Profiling:– Option A: Use v7.2 MR1 code to send DHCP attributes

in RADIUS accounting messages.– Option B: Use Cisco IOS “ip helper” addressed to ISE

on switches adjacent to the WLC.

• For HTTP Profiling:– Use the Web-Authentication redirect to get the HTTP

user agent.

For YourReference


1. Configure Integration with External CA Server• Define SCEP URL and certificates.• Example – Active Directory, CA Server or Internal DB.

2. Define Supplicant Provisioning Profile• Define what security and EAP type is deployed to end

devices.

Steps for Configuring Device Provisioning

116

For YourReference


Configuring SCEP Integration on the ISEThe ISE Must Point to the SCEP Server and Have a Valid Certificate Signed by the CA

117

Configure the SCEP URL Pointing to the Microsoft Windows 2008

Server or other CA

1

Request a Certificate for the ISE from the CA Server

2

For YourReference


Configuring Certificates on the ISECertificates are Used for HTTPS and EAP Connections

118

Use the Certificate from Your CA Server for EAP Authentication

2

The Web Server Certificate Can Be The Same, or Different than the EAP/RADIUS

Certificate

1

For YourReference


Configuring the Web-Authentication Redirect ACL

The ACL is Used in HTTP Profiling as Well as Posture and Client Provisioning.

119

Use the ISE server’s IP address to allow only traffic to that site.

2

This ACL will be referenced by name by the ISE to restrict the user.

1

For YourReference


Defining the Supplicant Provisioning Authorization Profile

120

Configure Redirect ACL On WLC1

Choose “Supplicant Provisioning” for the Redirect Portal

2

For YourReference

BYOD configuration for Unified Access

121


Unified Access BYOD Config

122

Change Of Authorization (CoA)

Network Access Control

For YourReference


Configure AVC policy and Netflow

• Define AVC profile and apply to WLAN.• Define netflow export profile and apply to WLAN.

Update NBAR2 protocol pack

• Steps to update protocol pack on controller.

Steps for AVC configuration

123

For YourReference


Applying AVC ProfilesCreate AVC Profile for Applications at Wireless > AVC

Apply AVC Profile to WLAN

Maximum 32 Rules can be created per AVC Profile

For YourReference


Netflow Collection and Export Configuration

125

WLC collects application bandwidth, export to management

tool for reporting

NFv9

WLC

Netflow Collection & Exporting

Reporting Tools

Plan

Create Netflow Monitor and Exporter at Wireless > Netflow

Apply Netflow monitor per WLAN

For YourReference


AVC: Steps updating AVC Protocol Pack

126

Protocol Pack allows adding more applications without upgrading or reloading AireOS

NBAR2 Protocol List: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html

Protocol Pack are released for specific NBAR Engine– AireOS 7.5 WLC has NBAR Engine 13 (protocol pack will be pp-adv-asr1k-152-4.S-13-3.0.0.pac)

For YourReference

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html


Bonjour Profile • Steps to configure mDNS profile• Steps to Apply the mDNS profile per interface.

Location specific Bonjour Service• Steps to enable location specific services on

controllerRemote VLAN bonjour Service• Steps to discover bonjour service on remote VLAN

by enabling mDNS AP

Steps for Bonjour configuration

127

For YourReference


Bonjour Gateway Services filter

128

mDNS Profile for Employee

Enable mDNS Globally / Add Services

Max. of 64 services can be enabled

For YourReference


Applying the Bonjour Gateway Profile

129

WLAN VLAN

Controlling Bonjour Gateway Profile per Interface

For YourReference


Bonjour: Steps Configuring LSS service from CLI

130

1. Once the basic bonjour gateway setup is configured the LSS can be enabled by accessing the WLC CLI, LSS is disabled by default on the WLC

2. Configure LSS services from CLI:(WLC) >config mdns service lss <enable / disable> <service_name/all>

For YourReference


Bonjour:Configure mDNS- AP from CLI

131

1. Configure switch port for mDNS-AP in trunk mode or Access Mode

2. Configure mDNS-AP Trunk Mode or Access Mode: (WLC)> config mdns ap enable/disable <APName/all> vlan <vlan-id> (WLC) >config mdns ap vlan add/delete <vlanid> <AP Name> (WLC)> config mdns ap enable/disable <APName/all> - no VLAN Config in Access Mode

For YourReference

managing policies for byod network brkewn-2020 damodar banodkar technical marketing engineer

Documents