Cisco TrustSec How-To Guide: ISE integration with XenMobile MDM Current Document Version: 3.0 December 11th, 2012 Table of Contents Introduction ............................................................................................................. 3 What Is the Cisco TrustSec System? ................................................................................................... 3 About the TrustSec How-To Guides ................................................................................................... 4 Mobile Device Management (MDM) ..................................................................... 5 Overview ...................................................................................................................................................... 5 Sample Network Topology ........................................................................................................................ 6 Using MDM Integration Configuration Steps ......................................................... 8 Appendix A: XenMobile Configuration............................................................... 18 Appendix B: End User Flow ................................................................................ 21 Appendix C: References ...................................................................................... 26 Cisco TrustSec System: ......................................................................................................................... 26 Device Configuration Guides: ............................................................................................................. 26 How-To: Cisco ISE Integration with XenMobile MDM 2 Introduction What Is the Cisco TrustSec System? Cisco TrustSecВ®, a core component of the Cisco SecureX Architectureв„ў, is an intelligent access control solution. TrustSec mitigates security risks by providing comprehensive visibility into who and what is connecting across the entire network infrastructure, and exceptional control over what and where they can go. TrustSec builds on your existing identity-aware access layer infrastructure (switches, wireless controllers, and so on). The solution and all the components within the solution are thoroughly vetted and rigorously tested as an integrated system. In addition to combining standards-based identity and enforcement models, such as IEEE 802.1X and VLAN control, the TrustSec system it also includes advanced identity and enforcement capabilities such as flexible authentication, Downloadable Access Control Lists (dACLs), Security Group Tagging (SGT), device profiling, posture assessments, and more. Figure 1: TrustSec Architecture Overview RADIUS Guest Services Posture Profiler Ingress Enforcement Wireless user SXP Wired user y rit ag cu T Se oup Gr Campus Network MACsec Ingress Enforcement S Gr ec ou uri p ty Ta g Data Center Egress Enforcement How-To: Cisco ISE Integration with XenMobile MDM 3 About the TrustSec How-To Guides The TrustSec team is producing this series of How-To documents to describe best practices for TrustSec deployments. The documents in the series build on one another and guide the reader through a successful implementation of the TrustSec system. You can use these documents to follow the prescribed path to deploy, or simply pick the single use-case that meets your specific need. Each guide is this series comes with a subway-style “You Are Here” map to help you identify the stage the document addresses and pinpoint where you are in the TrustSec deployment process (Figure 2). Figure 2: How-To Guide Navigation Map What does it mean to be вЂ�TrustSec Certified’? Each TrustSec version number (for example, TrustSec Version 2.0, Version 2.1, and so on) is a certified design or architecture. All the technology making up the architecture has undergone thorough architectural design development and lab testing. For a How-To Guide to be marked “TrustSec certified,” all the elements discussed in the document must meet the following criteria: п‚· п‚· п‚· Products incorporated in the design must be generally available. Deployment, operation, and management of components within the system must exhibit repeatable processes. All configurations and products used in the design must have been fully tested as an integrated solution. Many features may exist that could benefit your deployment, but if they were not part of the tested solution, they will not be marked as “TrustSec “certified”. The TrustSec team strives to provide regular updates to these documents that will include new features as they become available, and are integrated into the TrustSec test plans, pilot deployments, and system revisions. (i.e., TrustSec 2.2 certification). Additionally, many features and scenarios have been tested, but are not considered a best practice, and therefore are not included in these documents. As an example, certain IEEE 802.1X timers and local web authentication features are not included. Note: Within this document, we describe the recommended method of deployment, and a few different options depending on the level of security needed in your environment. These methods are examples and step-bystep instructions for TrustSec deployment as prescribed by Cisco best practices to help ensure a successful project deployment. How-To: Cisco ISE Integration with XenMobile MDM 4 Mobile Device Management (MDM) Overview Mobile Device Management (MDM) software secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a policy server, a mobile device client and an optional inline enforcement point that controls the use of some applications on a mobile device (like email) in the deployed environment. However the network is the only entity that can provide granular access to endpoints (based on ACL’s, trust sec SGT’s etc). It is envisaged that Cisco Identity Services Engine (ISE) would be an additional network based enforcement point while the MDM policy server would serve as the policy decision point. ISE expects specific data from MDM servers to provide a complete solution The following are the high level use cases in this solution. Device registration- Non registered endpoints accessing the network on-premises will be redirected to registration page on MDM server for registration based on user role, device type, etc Remediation-Non compliant endpoints will be given restricted access based on compliance state Periodic compliance check – Periodically check with MDM server for compliance Ability for administrator in ISE to issue remote actions on the device through the MDM server (e.g.: remote wiping of the managed device) Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. Full Wipe, Corporate Wipe and PIN Lock. How-To: Cisco ISE Integration with XenMobile MDM 5 Sample Network Topology Figure 3: ISE+MDM Integration Topology MDM Integration use-case overview 1. User associates device to SSID 2. If user device is not registered, user goes through the BYOD on-boarding flow, details listed in Appendix 3. ISE makes an API call to MDM server 4. This API call returns list of devices for this user and the posture status for the devices – Please note that we can pass MAC address of endpoint device as input parameter. 5. If user’s device is not in this list, it means device is not registered with the MDM provider. ISE will send an authorization to NAD to redirect to ISE, Users will be re-directed to MDM server (home page or landing page) 6. ISE will know that this device needs to be provisioned using MDM and will present an appropriate page to user to proceed to registration. 7. User will be transferred to the MDM policy engine where registration will be completed by the user. Control will transfer back to ISE either through automatic redirection by MDM server or by user refreshing their browser again. 8. ISE will query MDM again to gain knowledge of posture status 9. If the user device is not in compliant to the posture (compliance) policies configured on MDM, they will be notified that the device is out of compliance, reason for non-compliance and the need to be in compliance to access network resources 10. Once user’s device becomes compliant, MDM server will update the device state in its internal tables. 11. At this stage user can refresh the browser at which point control would transfer back to ISE. How-To: Cisco ISE Integration with XenMobile MDM 6 12. ISE would also poll the MDM server periodically to get compliance information and issue COA’s appropriately. Components Table 1: Components Used in this Document Component Hardware Features Tested Cisco IOSВ® Software Release The Cisco Identity Services Engine (ISE) Any: 1121/3315, 3355, 3395, VMware Integrated AAA, policy server, and services (guest, profiler, and posture) ISE 1.2 MDM Server MDM Certificate Authority Server (Optional) Any per specification of Microsoft (Windows 2008 R2 Enterprise SP2) SCEP, Certificate Authority Server N/A Wireless LAN Controller (WLC) 5500-series Profiling and Change of Authorization (CoA) Unified Wireless 7.2.??? N/A Apple iOS 5.0 and higher 2500-series WLSM-2 Virtual Controller Test Devices: E.g. Apple iOS, Google Android .. Apple & Google Google Android 2.3 and higher Note: Within this document, we have demonstrated MDM configuration only. We recommend using our How-ToGuide to configure ISE and WLC to a recommended state. How-to-Guide: http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf More guides are available at http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html How-To: Cisco ISE Integration with XenMobile MDM 7 Using MDM Integration Configuration Steps Cisco ISE and MDM integration configuration. Figure 3 shows the main steps in configuring MDM Integration. Figure 4 MDM Configuration Flow Add External MDM Server to ISE. MDM Servers can be used as a cloud service or installed locally on premises. Once the installation, basic setup and compliance checks are configured on the MDM server, it can then be added to ISE Procedure 1 Export MDM Server Certificate Step 1: Export MDM Server Certificate and save it on local machine How-To: Cisco ISE Integration with XenMobile MDM 8 Figure 5 Export MDM Certificate Step 2: Import the certificate in to ISE Navigate to: Administration -> Certificates -> Certificate Store -> Import Optional: Add a friendly name and then click Submit How-To: Cisco ISE Integration with XenMobile MDM 9 Figure 6 Import MDM Certificate to Cisco ISE Step 3: Verify that Certificate is in Certificate Store Figure 7 Verify MDM Certificate in Cisco ISE Step 4: Add MDM Server Administration -> MDM Figure 8.1 ADD MDM Server in Cisco ISE Click ADD, then enter MDM Server details How-To: Cisco ISE Integration with XenMobile MDM 10 Figure 8.2 ADD MDM Server in Cisco ISE Click Test Connection first, ISE will confirm that connection is working Figure 8.3 ADD MDM Server in Cisco ISE Click OK on this pop-up and then select the checkbox Click the Submit button, the server will be added , the following success message with the presented to the admin Figure 8.4 ADD MDM Server in Cisco ISE How-To: Cisco ISE Integration with XenMobile MDM 11 Review the MDM dictionaries Once the MDM server is added, the supported dictionaries now show-up in ISE, which could be later used in to ISE Authorization Policies. Navigate to: Policy -> Policy Elements -> Dictionaries -> MDM -> Dictionary Attributes Figure 9 Review MDM Dictionaries in Cisco ISE Configure ISE Authorization Policies Once MDM server is added in to ISE, we can configure authorization polices in ISE to leverage the new dictionaries added for MDM servers. Note: Within this document, we have demonstrated using dictionary attributes MDM:DeviceRegisterStatus EQUALS UnRegistered and MDM:DeviceCompliantStatus EQUALS NonCompliant. Please configure and test additional attributes as well How-To: Cisco ISE Integration with XenMobile MDM 12 Step 1: Create an ACL named “NSP-ACL” in the Wireless LAN Controller, which would be used in the policy later to redirect clients selected for BYOD supplicant provisioning, Certificate provisioning and MDM Quarantine. The Cisco Identity Services Engine IP address = 10.35.50.165 Internal Corporate Networks = 192.168.0.0, 172.16.0.0 (to redirect) MDM Server subnet = 204.8.168.0 Figure 10: Access Control List for re-directing client to BYOD flow Explanation of the NSP-ACL in Figure 17 is as follows 1. Allow all traffic “outbound” from Server to Client 2. Allow ICMP traffic “inbound” from Client to Server for trouble shooting, it is optional 3. Allow access to MDM server for un-registered and non-compliant devices to download the MDM agent and proceed with compliance checks 4. Allow all traffic “inbound” from Client to Server to ISE for Web Portal and supplicant and Certificate provisioning flows 5. Allow DNS traffic “inbound” from Client to Server for name resolution. 6. Allow DHCP traffic “inbound” from Client to Server for IP addresses. How-To: Cisco ISE Integration with XenMobile MDM 13 7. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per company policy) 8. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per company policy) 9. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per company policy) 10. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per company policy) 11. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per company policy) 12. Deny all traffic “inbound” from Client to Server to corporate resources for redirection to ISE (As per company policy) 13. Permit all the rest of traffic (Optional) Step 2: Create an Authorization Profile named “MDM_Quarantine” for devices which are not in compliant to MDM polices. In this case all non-compliant devices will be redirected to ISE and presented with a message Click Policy в†’ Policy Elements в†’ Results, Click Authorization в†’ Authorization Profiles в†’ Click “ADD” Figure 11: Authorization Profiles Navigation Figure 12.1: Authorization Policy Configuration How-To: Cisco ISE Integration with XenMobile MDM 14 Figure 12.2: Authorization Policy Configuration Note: NSP-ACL needs to be defined on the Wireless LAN Contoller, sample is attached Step 3: Create Authorization Policy, Click Policy в†’ Authorization в†’ Authorization Profiles. Click “Insert New Rule Below” Figure 13: Insert New Rule How-To: Cisco ISE Integration with XenMobile MDM 15 Please add the following Authorization Policy MDM_Un_Registered = This Authorization Rule is added for devices which are not yet registered with an MDM server. Once the device hits this rule, it will be forwarded to ISE MDM landing page, which will present user with information on registering the device with MDM. MDM_Non_Compliant = This Authorization Rule is added for devices which are not in compliant to MDM policies. Once the Android device hits the “Register” button during device registration, ISE sends a Re-Auth COA to the controller. Once the device hits this rule, it will be forwarded to ISE MDM landing page, which will present user with information on compliance failure. PERMIT = Once the device is registered with ISE, registered with MDM and is in compliance to ISE and MDM policies it will be granted access to the network. Figure 14: Authorization Policy Configuration view You are done! Please see the how-to-guide “BYOD-Using_Certificates_for_Differentiated_Access” If interested in provisioning Certificates along with the supplicant profile. Note: MDM policies could also be defined in more granular details on Cisco ISE, e.g. How-To: Cisco ISE Integration with XenMobile MDM 16 Demonstrations. If interested in looking at the end-user experience for on-boarding i-devices, Android, Windows and MAC OSx, please visit the following website. http://wwwin.cisco.com/tech/snsbu/prod-sols/ise/#sectionName=4 How-To: Cisco ISE Integration with XenMobile MDM 17 Appendix A: XenMobile Configuration In this section we will review configuration of the XenMobile Server for the corporate policies. This highlight the following: Step 1 п‚· Verify admin account privileges for REST API, i.e. account used by ISE to send a REST API call to XenMobile Server п‚· Review the Default Security Policies п‚· Review the iOS APP installation configuration (AnyConnect) Access the XenMobile administrative web interface. a. On Admin PC, launch Mozilla Firefox web browser. Enter XenMobile URL address in the address bar: https://ciscoise.zc.XenMobile.com/ciscoise Note: URL listed here is a sample URL b. Login with username and password. Once you login, you will see the dashboard as shown below. How-To: Cisco ISE Integration with XenMobile MDM 18 Step 2 User Management a. Navigate to USERS. Create users (admin or client users) b. Assign the roles accordingly (see the below screen ) c. Step 3 Admin role user can be used for API Security Policies on XenMobile Server a. Navigate to POLICIES > iOS > Configuration How-To: Cisco ISE Integration with XenMobile MDM 19 b. Create default passcode policy c. Create selfserver corporate app store policies as shown below d. Review the Policies e.g. Password, Type, Length, Data Encryption etc .. How-To: Cisco ISE Integration with XenMobile MDM 20 Appendix B: End User Flow Below are the steps to follow during enrolling the device to the MDM server. Step 1 : Hit Enroll tab. Step 2 : Select the device type. (IOS in this case.) How-To: Cisco ISE Integration with XenMobile MDM 21 Step3: The browser will take you to the app store to install the Citrix app fro enrolling the device. As per Citrix you have to install both “Wox Home and Citirx Mobile enroll app”. As shown below. Step 4 : Once installed both the above apps, run the Citrix Mobile Enroll app and it will take you to the below screen. Hit Enroll and follow the next steps. Step 5 : Enter the user credentials and server details and hit on next How-To: Cisco ISE Integration with XenMobile MDM 22 Step 6: Follow the instructions as displayed on the screen to enroll the device as below. Step 7 : Once installed all the above three steps you will see the below screen. How-To: Cisco ISE Integration with XenMobile MDM 23 Step 8 : You will get the below screen once you hit next after the step7 and the device is enrolled. Step 9 : Once the device is enrolled close the current tab and go back the enrollment page which you got during step1 and hit continue to get the permit access on the device which will make the deice to access corporate network. How-To: Cisco ISE Integration with XenMobile MDM 24 Step 10 : Make sure you have the following profiles installed on the device. (settings-пѓ Generalпѓ Profiles) How-To: Cisco ISE Integration with XenMobile MDM 25 Appendix C: References Cisco TrustSec System: п‚· http://www.cisco.com/go/trustsec п‚· http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec .html Device Configuration Guides: Cisco Identity Services Engine User Guides: http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html For more information about Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Software releases, please refer to following URLs: п‚· For Cisco Catalyst 2900 series switches: http://www.cisco.com/en/US/products/ps6406/products_installation_and_configuration_guides_l ist.html п‚· For Cisco Catalyst 3000 series switches: http://www.cisco.com/en/US/products/ps7077/products_installation_and_configuration_guides_l ist.html п‚· For Cisco Catalyst 3000-X series switches: http://www.cisco.com/en/US/products/ps10745/products_installation_and_configuration_guides _list.html п‚· For Cisco Catalyst 4500 series switches: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_installation_and_configurat ion_guides_list.html п‚· For Cisco Catalyst 6500 series switches: http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configurati on_guides_list.html п‚· For Cisco ASR 1000 series routers: http://www.cisco.com/en/US/products/ps9343/products_installation_and_configuration_guides_l ist.html For Cisco Wireless LAN Controllers: http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg.html How-To: Cisco ISE Integration with XenMobile MDM 26