Authentication and Authorization Overview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey there so in this video we're going to walk through the authentication and authorization portion of ice just to understand how to configure you know authentication policies and authorization policies at least from the get-go to permit and authentication so to start off we're going to go to policy and authentication now to understand how this works what happens is everything is processed as we have your policy type rule-based is being processed as like an access control list where first match goes now there's a way to make it match multiple but I'm not really certain what value that app so what we have here though is that for instance we have some pre-built rules like map dot 1x and the default rule so if we look here mab has a compound condition called wireless map and wired map or wireless map and then we're saying the allowed protocols or default network access and we're saying this is the default rule set in this section to use internal endpoints as the location for that endpoint information so this is where we would load all of our MAC addresses that we'd want to have processed in a certain policy in the internal endpoint store the next rule we have here is dot 1 X so with dot 1 X what we have is the ability we have a wire dot 1 X compound condition as well as wireless dot 1 X and our lot of protocols or default network access which we'll go through in a minute and the default rule is to use all user ID stores and what this is is a compound like ID store or identity source sequence that says I'm going to use internal users I'm going to use any active directory users any other stores that I have configured then we have a default rule if we don't match any of these then the allowed protocols our default network access and you all use their ID stores depending on the environment the default rule can be left as it is because you know most of our authorization matches should be or actual network access the reservation is on the next portion however in some environments some customers do like to have this disabled to disable a rule you know one of the things we could do is you can usually select and disable it looks like this rule may actually be permanently on so you could create a rule above that that just says if and then make it radius authentication then you know deny access but anyways to make a change on any of these rules you just double click and from here we can for instance click plus here and add different policy information but for right now to understand what default network access is if we go to policy and then policy elements here and we go to results we can go to authentication and allowed protocols now here you can see default network access when I click on default network access this will tell me what that is going to allow as far as authentication types so by default we're saying we're going to process host lookups for any Mac off bypass on devices which is great that's what we want we're also allowing passkey so depending on the scenario this may or may not be something you want to enable depend on the type of authentication allow Ethan b5 I typically turn that off unless they have a device that's using md5 I also typically turn off eg TC and you know depending on the scenario maybe even Eva miss chap depending on you know the customer has certificates implemented but for now we're going to leave peep enabled we're going to turn off eat fast because we're not using a fast we are going to allow ETLs and then you know we can also or Eve TTLs I mean actually we could disable that as well really we just want to allow peep we want to allow epls and I'll see if there's anything else we want to allow them here no it sounds good because really truly in most scenarios you're either going to be doing PPP mschap PB TLS or TLS as the native authentication we could also have app a passkey if it was a webpage for instance that was using radius to authenticate a client so let's click Save here all right so we just we just lock this down a little bit to make sure that that no one getting on the network is you know for instance using mschap v1 is just the full method because it's not encrypted we also don't want to allow mschap v2 without an encryption method because it is also very vulnerable etc we don't alone allow leap unless there's some strange reason you need a leap as leap is also very easy to decrypt and get you know credentials as a whole so we Billy get user name and password information and uh yeah not very secure so anyway now we've locked down the authentication page so or at least the authentication portion so at this point what we're saying is we're going to permit default network access and we're going to use all ID stores there could be a chance where maybe you don't want to use internal users and you want to use just a single identity source so to change these we actually go to administration and we go to external identity sources actually we go to identity source sequences not external identity sources now here's where you can see what is in all user ID stores so what we're saying is all active directory join points all internal users all guest users one thing we're missing is internal endpoints you don't want this typically it's only for map or for mac address authentication so I wouldn't move this into that group and then advanced search list setting so if I wanted to for instance remove guest users and just have internal users and AD join points but if I'm not found in internal users I want it to fail I could say do not access other stores highly recommend leaving that alone as a because that kind of defeats the purpose of a identity source sequence as it should be going through each of those until it either finds a match or denies authentication so we have authentication policies I typically leave those alone there's a reason to make them more granular like walking down the types of up indications that are permitted through the ice server but really all of our policy works going to be done in the authorization tab so by default there are quite a few different authorization policies configured I personally do not like using the pre-configured policies at all a because you have to go through and make sure you understand what each of the pieces are in here as well as you know there's also some things in here that are configured very specifically for certain platforms so I will go through and for instance I'm going to delete all these ones in the middle here because they serve no purpose for me at this point there may be a reason to use them if any of you know of a reason that you would like to keep these in here when configuring ice please comment I would greatly appreciate it but we're going to delete a lot of these so basic authentication access so we're saying if network access authentication passed in other words if the user is found an identity store permit access no thanks we're also going to get rid of this IP Phone profile for right now this one as well we will work on these later and then Wireless blacklist this is actually a pretty cool one it might have to modify the wireless access compound condition to make sure it matches MMR but what this can do is if a device is marked as blacklisted so if the device is registered and then later the user finds out that the device has been lost or stolen they can click to blacklist it the next time that user or that device is actually connected to the network it will redirect to a blacklist page this can be done in dashboard as well where you just click and block the client and put a little splash message same idea goes here you can modify this black list or black hole wireless access page that can state you know this device has been stolen please contact IT anyway I'm going to click Save real quick highly recommend that when you're building out policies this default policy rule here that we can see leave it as deny access I've seen so many occasions where someone made this permit access when they were doing a deployment and it you know it causes it to be very open you know where I can get on very easily for no reason at all other than the policy stated to permit anything so once again these are also processed top-down so we start at the beginning of the rule set and go down through until we find a match and then apply the permission at the end you can see here as I mentioned earlier we could do multiple matched rules applied I don't understand the value to that today there could be could be one if you wanted to match on multiple like listings and it overwrites different rule sets depending on the hierarchy and it's confusing so there's also this exceptions tab here so if you need to create a quick rule to permit access and you didn't want to modify any of the standard rule sets you could create a new rule that maybe permits a certain user name to access the network like let's say you needed to have quick admin access to a bunch of services in a bunch of different buildings this is a place to do it exceptions are typically not meant to be permanent they're meant to be exceptions for a you know a small time period all right so if we wanted to create a rule that just permits network access there was one in there however why not create it by hand here so let's just call this permit access and what we're going to do is there's this little area right here says if any now any means right now that we're not saying it's a user an internal user type or endpoint identity group however you could say you know like later in the later down the road will be one for like guest access where we say if it's a guest registered device then proceed with the rest of the conditions however so right now we always want this to be any unless we're matching based on a type of group endpoint or endpoint group or user group internal in ice now conditions this is where we can actually start creating conditions that match them authentication so to start there are a number of different at we can select here for instance maybe we just want to do radius authentication when I get through the rest of that radius off and then we could go [Music] Nazz port type equals and maybe we decide it is you know Wireless I Triple E 802 11 so what we can just say here is that if it's coming from a 211 device then you know permit access this is not a good rule this is more or less that default rule they had on there this just pertains to let's just say a permit when I was accessed so literally if you wanted to make a rule that just permitted anyone connecting to wireless that fell into that default policy and the user account was found in one of the user user stores then just permit them on the network this would be the way to do it we're going to get more granular into more use cases into an actual use case actually in the next couple videos however at this point I think that this kind of sums up the overall page and understanding how these policies work I hope this was informative and I appreciate you checking this out [Music] you

Info

Channel: Arthur Alexander Burger

Views: 7,783

Rating: undefined out of 5

Keywords: Cisco ISE, Meraki

Id: 4kCvePuPNxI

Channel Id: undefined

Length: 12min 39sec (759 seconds)

Published: Wed Mar 29 2017