Secure Network Access made easy

With the Identity Services Engine (ISE), Cisco offers a solution that allows you to control the access to the network centrally. Here, one can define client requirements and the resulting access rights for Wired LAN, Wireless LAN as well as VPN. Additionally, administrators receive detailed information via ISE as to who and when someone logs onto the network and with which device. The version 2.1 of the Identity Services Engine has become available fairly recently and an overview of the new features is given here.

 

LOOK & FEEL

The administration of the ISE via the graphical user interface has changed a lot compared to the 1.x releases. Administrators now have the possibility to customize the home page of the ISE with adaptable widgets according to their needs. Important and interesting values, e.g. the amount of active clients or presently registered guests, permit a quick overview on the current situation in the network. Additionally, dashboards will be displayed via HTML5 and no longer via the usual Flash. In the next versions, the last remnants of Flash will be removed from the menus too.

THREAT CENTRIC NAC

Classic network admission (or access) control (NAC) is based on checking the security status of a client and – depending on the result – to permit or deny the access onto the network. Thereby, one can check for instance windows updates, anti-malware products and the utilized hard drive encryption. Threat Centric NAC offers, additionally to the criteria mentioned above, the possibility to gather information about existing weaknesses and about attempts of compromising and can, based on this evidence, thus permit access (or not -:)). At the moment Cisco Advanced Malware Protection as well as Qualys Guard Scanner could be utilized. If a client tries to connect to the network, ISE can inform the Qualys server about it.

The server subsequently starts a scan of the vulnerabilities and supplies the results back to ISE. In case of unpatched weak points on the client, it can for instance, be moved into a remediation VLAN in order to update the affected software.

Integration of third party network devices

IEEE 802.1X is a widely spread standard for network access control and is supported by all renowned developers of network components. Additionally, there are many functions that make the implementation and the running of 802.1 X more comfortable or they open new possibilities. If for instance a guest is trying to connect to the network, the authentication via 802.1X will fail, as the guest does not have valid access data for the network. In this case, a web redirect can be triggered with the help of ISE. The guests will be redirected to a portal, where they can register as such. Thereafter restricted permissions (e.g. only access to the internet) will be assigned to them.

However, there is no uniform standardized way to trigger a web redirect on the Network Access Device (NAD), as several developers offer these functions but implement them all differently by means of the RADIUS protocol. With the help of ISE 2.1, it is now possible to specify the developer of the NAD. That way, ISE is able to send exactly the correct RADIUS attributes in order to ensure a successful redirection of the client. Supported suppliers are Aruba, Brocade, HP and Ruckus amongst others. If a developer is not supported out-of-the-box, an own profile can be generated by oneself. It is of course a precondition that the device supports the function in general.

ODBC Identity Source

Most businesses utilize directory services such as Microsoft Active Directory, OpenLDAP, etc. to administer users, groups and computers. ISE is able to use these services in order to perform authentication and authorization. The password of a user can for instance be verified against the active directory and so the user can subsequently be issued with permissions based on group memberships. However, such directory services are not always an option. Either no adequate directory service is used at all, or not all objects can be found in the directory service. If clients are installed using software deployment, they already need access to the network prior to their integration into the directory service. This is exactly where ODBC can help as an identity source. If currently re-installed clients are filed in a database like MS SQL, Oracle, Postgre SQL or Sybase using software deployment, ISE can make an inquiry to this database in order to allow the required access. This is only one of many possible applications of ODBC as an identity source; even guest and BYOD devices can be authenticated by ODBC.

The outlined aspects represent only an extract of the new features in ISE 2.1. We will gladly answer your open questions or we offer you our consultation, in case you would like to use the possibilities of network access control.