Table Of Contents
Cisco BioMed NAC 2.0—Application Deployment Guide
Cisco BioMed NAC 1.0—Scope of the Solution
Cisco BioMed NAC 2.0—Scope of the Solution
Challenges Experience in Hospitals
Biomedical NAC 2.0 Solution Services
Access Control and Enforcement
Cisco BioMed NAC 2.0 Components
Places in the Network Dependency
BioMed NAC 2.0 Component Considerations
Device Identification and Profiling
Endpoint Attributes for Profiling
Strategies for Profiling Medical Devices
Access Control and Authorization Policies
Enabling Switch to Support Standard Web Authentication
Defining a Local User Name and Password for Synthetic RADIUS Transactions
Setting the NTP Server to Ensure Accurate Log and Accounting Timestamps
Enabling RADIUS Change of Authorization
Enabling Device Tracking and DHCP Snooping
Enabling 802.1X Port-Based Authentication
Using EAP for Critical Authentications
Throttling AAA Requests Using Recovery Delay
Defining VLANs Based on Enforcement States
Defining Local (Default) ACLs on the Switch
Enabling MAC Notification Traps for Profiler to Collect
Philips IntelliVue Patient Monitor—MP30
Dräger—Infinity M300 Patient-worn Monitor
CareFusion Alaris IV Pump—Ambicom Wireless Card
CareFusion Alaris IV Pump—Motorola Wireless Card
Implementing the Cisco BioMed NAC 2.0 Solution
Basic Pre-Planning Considerations
802.1X-Enabled Medical Devices
Redundancy and Reliability Subsystem
Identity Services Engine Redundancy
Cisco BioMed NAC 2.0—
Application Deployment GuideLast Updated: August 29, 2011Curt Mah, Technical Marketing Engineer, CMO ISE, Cisco SystemsCurt is a Technical Marketing Engineer at Cisco with 15 years of networking experience in the industry. He is focused on developing and validating Cisco solution architectures that optimize workflow and improve productivity for the Healthcare Industry. He has worked in the areas of network consulting and product development and has supported fortune 500 companies in the areas of infrastructure deployment, Routing/Switching/WAN and Security. Curt has architected solutions for Broadband Triple Play (voice, video, data) for Service Providers and Healthcare offerings, including Biomedical Network Admission Control and PACS storage optimization. In addition, Curt has co-authored the Cisco Press book Deploying Cisco Voice over IP Solutions and has spoken at numerous industry events including Networkers/Cisco Live, NetWorld+Interop, and the California Medical Instrumentation Association.
Curt holds a Bachelor of Science degree in Electrical Engineering Technology from California Polytechnic University in San Luis Obispo. Curt is a Cisco Certified Internetwork Engineer (CCIE #3856) in Routing and Switching.
Contents
Cisco BioMed NAC 2.0—Application Deployment Guide
Executive Summary
Market Summary
Hospitals continue to invest in upgrading their network infrastructure, as well as building new wings to their existing acute care or ambulatory care environments. IP convergence is steadily becoming a reality, and customers are demanding an environment that improves the quality of patient care while at the same time reducing overall expenses. Many healthcare delivery organizations either already have or are moving towards a converged IP network, and are considering ways to connect information technology (IT) devices, biomedical devices, and guest services on a converged IP network in a secure and reliable manner.
Biomedical devices such as patient monitoring devices, ventilators, and infusion pumps are the fastest growing population of network-connected devices (wired or wireless) in the provider space. Medical device manufacturers (MDMs) continue to introduce devices that are IP enabled, and this trend is growing. Hospitals now use a wide variety of these biomedical devices, often times different models and even across different manufacturers. As more and more biomedical devices become IP enabled, hospitals are looking for ways to maximize their usage in the most effective and economical way.
Figure 1 shows an example of a converged hospital network.
Figure 1 Converged Network
Provider environments that have wired and wireless biomedical devices may gain benefits from the BioMed NAC solution, to help alleviate the manual process of port configuration, and device inventory management. The access security functions of the solution also may help hospitals manage security threats and rogue device access to open ports that exist in the patient accessible areas such as patient rooms, waiting rooms, and so on.
In addition, hospitals that are in shorter supply of IT staff resources may take advantage of the BioMed NAC solution to help augment their staff through identity and provisioning automation.
The real business problem for customers is how to effectively automate the process of getting end-devices (biomedical or IT) onto the network, eliminating the manual process that is a very common approach in the healthcare industry today. Hospitals do not want to manage multiple disparate networks or provision ports manually because of the added cost and delays encountered.
The Cisco BioMed Network Admission Control (NAC) solution is a key security solution that takes advantage of attributes within the Cisco Medical-Grade Network, as shown in Figure 2.
For more information on the Cisco Medical-Grade Network, see the following URL: http://www.cisco.com/web/strategy/healthcare/cisco_medical-grade_network.html.
Figure 2 Key Elements of the Cisco Medical-Grade Network
Cisco BioMed NAC 1.0—Scope of the Solution
The first version of the solution, Cisco BioMed NAC 1.0, focused on the automation of device assignments to controlled zones on the hospital network for wired medical devices. This solution provided proactive monitoring of the behavior of these devices, acting on evidence of specific behaviors, and automatically notifying the appropriate administration of this behavioral change of the device. The solution used the Cisco NAC Appliance set of products (NAC Profiler, NAC Manager, NAC server, and NAC collectors) to provide the basic identity and access control services. The 1.0 version of the solution uses Simple Network Management Protocol (SNMP) as the control plane for access and policy enforcement.
The BioMed NAC 1.0 solution was released as a Cisco Validated Design (CVD) and tested Philips IntelliVue and Dräger Infinity wired patient monitors. For more information, see the following URL: http://www.cisco.com/en/US/docs/solutions/Verticals/Healthcare/bnac_adg.html
Cisco BioMed NAC 2.0—Scope of the Solution
Cisco BioMed NAC 2.0 focuses on profiling both wired and wireless medical devices. The medical devices tested in this version of the solution include Philips IntelliVue, Dräger Infinity® Delta series and Infinity® M300 patient-worn patient monitoring, and CareFusion Alaris Infusion Pumps.
The BioMed NAC 2.0 solution automates the process of identity for both wired and wireless medical devices. As noted previously, BioMed NAC 1.0 included only identity functionality for wired devices. The BioMed NAC 2.0 solution also supports automated device assignments to controlled zones on the hospital network for wired devices, as supported in BioMed NAC 1.0. In addition, there is limited support of automated assignment of wireless devices. For more information about specific supported use cases, see Flows. This 2.0 version uses the Cisco Identity Services Engine (ISE) as the centerpiece for identity, access control, and visibility; and replaces the Cisco NAC Appliance set of products. RADIUS is used as the control plane for access and policy enforcement.
The solution integrates policy and access control into an existing healthcare campus network or Cisco Medical-Grade Network by automating the process of connecting wired and wireless biomedical devices to the hospital's existing infrastructure network.
Challenges Experience in Hospitals
The following examples were taken from real-world experiences found in a number of healthcare organizations. These scenarios are a subset of the challenges of managing medical devices within modern healthcare environments worldwide.
Problem Scenario 1 (Wired-Provisioning)
The housekeeping staff unplugs network cables that connect workstations and medical devices to network ports in the wall of an operating room (OR).
Following the cleaning and sterilization of the room, the devices were reconnected, but not to their original ports. The result caused a number of security violations and impeded the devices from operating with ancillary systems.
Due to the delay isolation the problem, it took several days to resolve this incident, causing major disruption to the OR.
Problem Scenario 2 (Wired-Elasticity)
As the critical care unit (CCU) became fully occupied, patients were being admitted to the critical care overflow (CCO) unit.
Because the CCO unit had not been used for days, only one port and clinical workstation were operational for charting six patients.
This issue was escalated to the hospital administration, and took one day to resolve.
Problem Scenario 3 (Wired-Security)
A family member of a patient looking for an Internet connection plugs their infected laptop into a bedside wall jack that is reserved for medical devices.
Problem Scenario 4 (Wireless-Security)
A series of wireless infusion pumps are installed, and the biomedical staff requires a real-time inventory of these devices for both compliance and equipment purchasing and procurement.
Problem Scenario 5 (Wireless-Security)
A patient monitor is docked to a docking station, which is wired to an Ethernet jack. The patient's vital signs are monitored in the patient room. The patient is then transported to the ward on the second floor, and the patient monitor is undocked and allowed to work in wireless mode, continuously monitoring the patient.
Later that day, the patient monitor cannot be found, and must be located.
Solution Benefits
Cisco BioMed NAC 2.0 is a Cisco Healthcare Solution that addresses the following key challenges:
•
Device identity management for wired and wireless endpoints
The solution allows both wired and wired medical devices to be properly identified through the identity services profiling process. Upon access to the network, the device type, vendor, MAC address, source switch port and/or access point/wireless LAN controller (WLC) of the medical device is stored in the centralized policy platform.
•
For wired access ports, the solution enables the ability to connect medical devices to different bedside wall jacks (switch ports) within the hospital, and allows the network to automatically identify the device type and vendor. Upon device identity, the network applies the correct policy to the port. For 802.lX-enabled wireless devices, upon identity, the network can re-provision the VLAN on the 802.1X WLAN for the correct VLAN on the network. Non-802.1X-enabled wireless devices are identified for inventory purposes only, and dynamic VLAN provisioning on the WLAN is not supported.
•
The solution automatically provisions wired ports for access onto the correct medical device segment based on a preconfigured profile match. On compliant behavior through the matching of known profile heuristics, the solution reports a higher confidence factor for the device. On potential bad behavior through matching of malicious profile heuristics, the administrator may be alerted for further action.
•
The solution provides a graphic interface of the profiling events that occur on the network, and provides the ability to send event changes such as profile matches to a central network management plane. Additionally, for hospitals looking to comply with IEC-80001, this solution provides capability that can aid in compliance processes, specifically related to event management, change release management, configuration management, and monitoring of the medical IT networks.
For more information on the IEC-80001 standard, see the Association for the Advancement of Medical Instrumentation (AAMI) website at the following URL: http://www.aami.org.
While this document focuses on medical device access to the hospital's network, this solution provides the foundation to providing the capability to secure access from all networked devices.
Medical Device Overview
There are many types, classifications, and vendors of biomedical devices available in the market. The following are examples of common biomedical devices:
•
•
•
•
•
•
•
•
•
Figure 3 shows some of the leading biomedical device manufactures and their product focus areas,
Figure 3 Biomedical Device Landscape
Medical Devices
BioMed NAC 2.0 focuses on profile testing of wired and wireless patient monitoring devices and infusion pumps of the following vendors:
•
Figure 4 Philips IntelliVue Products
•
Figure 5 Dräger Infinity Products
•
Figure 6 CareFusion Alaris IV Pumps
Biomedical NAC 2.0 Solution Services
BNAC Services
The BioMed NAC 2.0 solution consolidates functionality into three key areas:
•
•
•
Device Identity
Device identity is the process of determining what type of endpoint is being added to the network.
Biomedical devices such as patient monitors are often "headless", sealed devices and are often not capable of running any form of third-party authentication agents, 802.1X supplicant, or a NAC agent. In addition, they do not provide a means by which a user can manually intervene through a browser. A few select vendors are now supporting 802.1X for their specific wireless device clients and this is expected to be a growing trend among medical device vendors.
To properly identify these types of devices, the BioMed NAC 2.0 solution gathers specific endpoint attributes to determine, within a certain level of confidence, the type of endpoint. The solution is flexible to allow gathering of various types of attributes to determine an overall confidence level in identifying a device.
The device identity process has visibility into the endpoint's observable network attributes, to classify it to a particular profile. In essence, profiling characterizes endpoints for the purpose of identifying and grouping together those that are similar in function, capability, or other defining characteristics.
The Cisco Identity Services Engine (ISE) uses profiling capabilities to classify each endpoint it discovers and profiles the endpoint based on the preconfigured known attributes. Each profile is a logical container or grouping that contains one or more endpoints with similar characteristics (for example, Philips IntelliVue Patient Monitors, Dräger Patient Monitors, and so on.)
The ISE can use the following mechanisms/attributes to gather endpoint information required to profile a device:
•
•
•
•
•
•
The collection functionality is provided by ISE probes and is discussed in detail in the "Probes" section.
Access Control and Enforcement
Access control and enforcement is defined as the network access provisioning process and is used to allow or restrict access to the network.
As devices connect to the network, the BioMed NAC 2.0 solution has the ability to dynamically enforce network access policies. The Cisco BioMed NAC 2.0 solution controls network access using a network segmentation approach facilitated by using the following segmentation technologies:
•
•
•
Network segmentation can then be applied after an identity match is made. For example, if access control is granted based on an endpoint profile match, the Cisco ISE can dynamically configure a particular switch port to be a member of the proper medical device VLAN. If no medical device profiles match, the Cisco ISE assigns the port to the authentication VLAN. No access is granted to the medical device VLAN without proper identification. This example is most commonly applied to wired medical devices. Wireless medical devices, on the other hand, are statically mapped to a medical device VLAN that is in turn mapped to the service set identifier (SSID). At the current time, the Cisco BioMed NAC 2.0 has limited support for this use case. For ISE 1.0 release, only 802.1X WLANs support dynamic wireless VLAN changes.
Reporting and Visibility
Reporting is the process of providing the administrator with real-time information on device identity and access control.
The Cisco ISE Profiler function provides the ability to view the endpoints connecting to the network and manage the endpoint profile creation. The Policy Profiling tab of the user interface provides views of endpoint data, which then allows for the display of information about the endpoints, current and historical, as well as information regarding the connection status of all endpoints in the environment.
The views themselves provide insight into the endpoint landscape, the effectiveness of the profiles to classify all endpoints being observed on the network. The search and advanced search fields can be used to quickly list all endpoints of a certain endpoint profile match. In addition, summary information regarding the profiles enabled for population by Cisco ISE can be ascertained at a glance.
The identity management functionality provides for several gathered attributes of the device, including:
•
•
•
•
•
•
Solution Architecture
The solution architecture identifies the key solution components, integration points, and relevant configurations, as shown in Figure 7.
Figure 7 BioMed NAC 2.0 Overall Architecture
Architectural Scope
The architecture of the solution is shown in Figure 7 and is divided into five main functional areas: medical devices, access layer, distribution layer, core layer, and data center services layer.
Access Layer
Typically, the Cisco Catalyst family of switches are deployed within the campus access layer and provide edge access for a variety of device types and users. The switches are typically deployed at the intermediate distribution frame (IDF) distribution closets located in all areas of the hospital. Conventional multiport Ethernet connections are distributed to the points of use from each of the wiring closets. In addition to conventional wired network users, wireless access points are also connected to the access switches. The BioMed NAC 2.0 solution uses the Change of Authorization (CoA) RADIUS attribute to apply dynamic policy changes to the switch ports when a new device is connected to the switch. This RADIUS-based field is therefore mandatory on access switches and Wireless LAN Controllers to support the Cisco BioMed NAC 2.0 solution.
The following link lists the Cisco Identity Services Engine (ISE)-supported switch, and wireless LAN controller platforms: http://www.cisco.com/en/US/products/ps11640/index.html
The switches facilitate the identification process through the following functions:
•
•
Note
NoteDistribution Layer
The distribution layer of the healthcare campus network contains Cisco IOS Software-based Layer 2- and Layer 3-based switches and routers. The distribution switch typically provides the wireless LAN controller (WLC) functions through the WLC wireless services module (WiSM) card; WLC functionality may also be provided through the use of an external WLC appliance. For WiSM and WLC implementations, the Control and Provisioning of Wireless Access Points (CAPWAP) tunnels terminate at the distribution layer, where wireless LANs (WLANs) are maintained, configured, and administered.
The distribution switches/routers components participate in the profiling process through the following functions:
•
•
For more information on Cisco NetFlow, see the following URL: http://www.cisco.com/en/US/products/ps6645/products_ios_protocol_option_home.html
Core Layer
The core layer uses Cisco IOS-based routers in the healthcare campus network. The core is reserved for high-speed routing, without any services. Services can be placed in a service switch on the data center.
Data Center Services Layer
The data center services layer uses Cisco IOS-based routers/switches in the healthcare campus network.
The data center components participate in the following functions:
•
•
The primary Identity and Profiler components are also deployed in this layer. The identity services connect into the core or data center switch for centralized policy management functions.
Cisco BioMed NAC 2.0 Components
Table 1 lists the Cisco BioMed NAC 2.0 components.
Table 2 lists the Cisco infrastructure access switches and wireless components.
Table 2 Cisco Infrastructure Access Switches and Wireless Components
Access switch
Cisco Catalyst 6500, 4500, 3750, 3560. 3750-X
Access switches used in wired deployments
For complete listing of switch support: http://www.cisco.com/en/US/docs/security/ise/1.0/compatibility/ise-sdt.html#wp55038
IOS Version
12.2.52 (SE)
Access points
Cisco 1242, 1131, 3500
Cisco Unified Wireless Access Points including ClearAir support
http://www.cisco.com/en/US/docs/security/ise/1.0/compatibility/ise-sdt.html#wp55038
7.0.98.0
Wireless LAN controller
WiSM for 6500
Cisco WLAN controllers that communicate with Cisco Aironet access points over any Layer 2 or Layer 3 infrastructure
For complete listing of WLC support: http://www.cisco.com/en/US/docs/security/ise/1.0/compatibility/ise-sdt.html#wp55038
7.0.114.4
Switches
4500, 6500
Routers and switches used in wired deployments at distribution and core layer
Complete listing of router support: http://www.cisco.com/en/US/docs/security/ise/1.0/compatibility/ise-sdt.html#wp55038
IOS Version
12.2
Table 3 lists the Philips medical devices.
Table 4 lists the Dräger medical devices.
Table 5 lists the CareFusion devices.
Medical Device Partners
Table 6 lists the medical device vendors that were tested for the Cisco BioMed NAC 2.0 solution.
Table 6 Technology Partner List
Philips Medical
IntelliVue
Dräger
Infinity Bedside Monitoring, Infinity M300 Patient-worn Monitoring
CareFusion
Alaris
Integration of these components depends on the availability of this equipment from the technology partner. For the purpose of this guide, these components are used only as examples, and Cisco does not provide detailed recommendations on the configuration and design of these components. Where there are interfaces to Cisco equipment, Cisco provides the required design and implementation recommendations to interface to this equipment.
Places in the Network Dependency
The BioMed NAC 2.0 solution leverages multiple place-in-the-networks (PINs) as shown in Figure 8.
Figure 8 Leverage Points of BioMed NAC 2.0
Table 7 provides links for more information about these PINs.
Table 7 Documentation References
Cisco campus network design
3.0
http://www.cisco.com/en/US/netsol/ns815/networking_solutions_program_home.html
Secure wireless
1.0
http://www.cisco.com/en/US/netsol/ns820/networking_solutions_program_home.html
TrustSec
1.0
BioMed NAC 2.0 Component Considerations
Identity Services Engine
The centerpiece of the Cisco BioMed NAC 2.0 solution is the Cisco Identity Service Engine (ISE), as shown in Figure 9.
Figure 9 Identity Service Engine (ISE)
The Cisco ISE is an identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. Its unique architecture allows enterprises to gather real-time contextual information from network, users, and devices to make proactive governance decisions by tying identity back into various network elements including access switches, wireless controllers, VPN gateways, and data center switches. Cisco ISE is a key component of the Cisco TrustSec Solution (http://www.cisco.com/en/US/netsol/ns1051/index.html).
The Cisco ISE provides the key policy and automated medical device identity intelligence, reporting and visibility functionality, and dynamic device segmentation (wired devices) authority. The ISE is a policy-based management platform. For more information on the Cisco ISE, see the following URL:
http://www.cisco.com/en/US/products/ps11640/index.html
The platform delivers all the components required for the following services:
•
•
•
•
•
One of the key benefits of the Cisco ISE platform is the native profiling service support. By incorporating this native profiling subsystem within the native ISE functions, Cisco owns and develops the necessary profiling functions to be successful in the identity space.
Traditionally, the Cisco NAC appliance (also known as Cisco Clean Access) has been used in the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. The Cisco NAC appliance allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access. The Cisco ISE is now included in the solution and performs this function.
In summary, Cisco ISE is a consolidated policy-based access control solution that does the following:
•
•
•
•
Cisco ISE 1.0 (product only) provides support for the following use cases:
•
•
•
•
•
•
The Cisco ISE solution provides context-aware identity management of medical devices in the following areas:
•
•
Use the ISE profiler service to assist in identifying, locating, and determining the capabilities of all endpoints on your network (known as identities in Cisco ISE), regardless of their respective device types, to ensure and maintain appropriate access to your enterprise network. The Cisco ISE Profiler function uses a number of probes to collect attributes for all endpoints on the network, and passes them to the Profiler analyzer. The profiler analyzer then looks for attribute matches based on the set of device profiles resident on the Cisco ISE. The device profiles include wellknown attributes that the individual medical devices exhibit on the network. Based on this profile match, devices can be properly identified on the network.
ISE has several functionality modules that are divided into architectural nodes, which are described as follows:
•
•
•
•
•
Figure 10 shows the interaction between these nodes.
Figure 10 Architecture Nodes Interaction
The individual architecture node can be supported on a single appliance platform or deployed on different appliance platforms, depending on scale and size of deployment. This allows for flexibility when sizing the number of appliances across an enterprise.
There are two types of wired deployments:
•
802.1X is the protocol of choice of many organizations for their identity solution. This current adoption of 802.1z in the wired network mainly applies to IT workstations and laptops. Although a few medical device manufacturers are beginning to consider 802.1X supplicant support, most medical devices do not, and reply on MAC address and behavioral-based methods for authentication. The Cisco ISE does, however, provide all services for this use case and provides the functionality to communicate with the Cisco Network Access Devices (NADs) using RADIUS.
•
For healthcare customers that have not yet adopted 802.1X for authentication, Cisco ISE provides services for the non-802.1X use cases.
Currently, the RADIUS control plane is used to provision access switches for VLANs, DACLs, and Security Group access control lists.
High Level Flow
The areas of functionality follow a logical sequence of events, as shown in Figure 11.
Figure 11 Block Diagram Flow
A sample medical device endpoint flow is as follows:
•
•
•
Device Identification and Profiling
For the system to dynamically identify a device when it accesses the network, device profiling must be used for devices that do not support 802.1X. The Cisco ISE must look at identifying characteristics of the individual endpoints to provide enough accurate information to dynamically identify that device.
An example of using identifying attributes of a device can be compared to the attributes of a person. For example, Larry Smith has a static identifying attribute called the Social Security number (US) that can be used to identify this person as Larry Smith. This identifying attribute, though unique throughout the United States, can be spoofed if obtained by a malicious user. Using this "fingerprint" is more effective if combined with other identifying attributes, namely behavioral attributes.
Behavioral security is often useful for those cases where a person or device has not previously been classified as "trusted" or "untrusted." If applied correctly, this can be an effective way to detect and identify devices on the network. Consider the old saying that "if it looks like a duck, walks like a duck, and talks like a duck, it probably is a duck." At the simplest level, this is the basis for behavioral-based security.
In the following example, Larry Smith can be also identified by observing his normal behavior:
•
•
•
A match on any one of these behaviors would not be a very reliable way of identifying Larry Smith; but using a combination of these attributes plus a match on a static attribute (for example, Social Security number) increases the certainty factor greatly.
Upon match, the person's current location is reported; for example, Pruneridge Golf Course, as shown in Figure 12.
Figure 12 Behavior-Based Identification Method—Person
In the following example, the same concept is applied to identification of a medical device. Combining a static attribute (that is. MAC address or OUI value) with a series of behavior matches results in an accurate way of identifying the device. Here, a profile is created using the following attribute rules. A policy can be set in which the match of MAC address and any two other attributes positively identifies the device:
•
•
•
•
•
Upon match, the Cisco ISE system reports the current device location; for example, Maternity Ward: Floor 2, Closet 2B, Switch 5 and Port Fa1/0/11, as shown in Figure 13.
Figure 13 Behavior-Based Identification Method—Device
ISE Profiling
The Profiler service assists in identifying, locating, and determining the capabilities of all the attached endpoints on your network (known as identities in Cisco ISE), regardless of their device types, to ensure and maintain appropriate access to your enterprise network. It primarily collects an attribute or a set of attributes of all the endpoints on your network and classifies them according to their profiles.
•
The probe manager within the sensor provides support to the Profiler service that initializes various probes, and controls the probes that run on the sensor. The probe manager allows you to configure probes to start and stop collecting the attributes and their values from endpoints. An event manager within the sensor allows communication of the events between probes in the probe manager.
A forwarder stores endpoint attributes data collected to the database, and notifies the analyzer of new endpoints detected on your network. The analyzer classifies endpoints to the identity groups and stores endpoints with the matched profiles in the database.
•
The Profiler service primarily collects attributes of endpoints from the network devices and the network, classifies endpoints into a specific group according to their profiles, and stores endpoints with their matched profiles in the Cisco ISE database. A list of possible attributes that includes all or any of the attributes are defined in the system dictionaries. You can leverage the existing dictionaries, and define as well an ad-hoc dictionary for any attribute during run-time.
A medical device endpoint is a network-capable device that connects to your healthcare network. The MAC address is the unique representation of this endpoint, but can also be identified an endpoint with a varying set of attributes and the values associated to them (called an attribute-value pair). A varying set of attributes to endpoints based on their capability, the capability and configuration of the NADs, and the methods (probes) can be used to collect these attributes.
Each endpoint on the network can be associated to an existing endpoint identity group in the system, or to a new group that you can create and associate to the parent group. By grouping endpoints, and applying endpoint profiling policies to the group, you can determine the mapping of endpoints to the endpoint profiles by checking the corresponding endpoint profiling policies.
Endpoint Profiling
Cisco ISE Profiler addresses the challenge in the deployment and management of the following next-generation security mechanisms:
•
•
•
Cisco ISE provides a unique functionality in the discovery, location, and determination of the type and capabilities of all the endpoints that are connecting to an enterprise network. Endpoint profiling in Cisco ISE identifies each endpoint on your network, and groups those endpoints according to their profiles.
The Profiler in Cisco ISE provides a contextual inventory of all the endpoints that are using your network resource to find out what is connected to your network, and where it exists on your network. The profiler allows both dynamic and static endpoint profiling, where dynamic endpoint profiling allows you to detect endpoints on your ISE-enabled network, and to notify changes resulting from the network to your Cisco ISE deployment.
The Profiler service assists in identifying, locating, and determining the capabilities of all the attached endpoints on your network (known as identities in Cisco ISE), regardless of their device types, to ensure and maintain appropriate access to your enterprise network. It primarily collects an attribute or a set of attributes of all the endpoints on your network and classifies them according to their profiles.
To effectively profile endpoints on your network, you need a thorough understanding of the types of endpoints (devices) that are connecting to your network, their location, and their abilities relative to the state of the port on which they currently reside. You can define endpoint profiling policies in Cisco ISE that allow you to group endpoints according to their profiles. Cisco ISE deployment creates the following three endpoint identity groups:
•
•
•
An endpoint profiling policy contains a single condition, or a set of conditions (compound condition) that are logically combined using AND and OR operators against which you check and categorize endpoints. All the conditions can either be used with an AND operator or an OR operator together for a given policy.
A condition is a check that maps a specific value to an attribute for an endpoint. If you map more than one attribute, you can logically group the conditions, which helps you to classify and categorize endpoints on your network. You can check endpoints against one or more such conditions with a corresponding certainty metric (an integer value that you define) associated with it. The certainty metric for each condition contributes to the overall matching of the endpoint profiles into a specific category of endpoints. The certainty metric for all the valid conditions are added together to form the matching certainty. The certainty metric measures how each condition contributes improving the overall classification of endpoints on your network.
Figure 14 shows the preconfigured profiles in ISE.
Figure 14 Preconfigured Profiles in ISE
Endpoint Attributes for Profiling
The Cisco ISE profiling subsystem supports the following attributes (as described in the "Device Identification and Profiling" section) to profile a particular endpoint:
•
•
•
•
•
•
The Profiler Attributes window shown in Figure 15 is an example of the Cisco ISE GUI.
Figure 15 Profiler Attributes
The administrator can drill deeper into each of these attributes and have access to lower level fields (dictionaries) to use for profile rules set creation. Figure 16 shows the MAC level categories: MACAddress or OUI.
Figure 16 Detailed Field Names under MAC Address
Figure 17 shows the DHCP level categories.
Figure 17 Detailed Field Names under DHCP
Probes
A probe is a method used to collect an attribute or a set of attributes from an endpoint on your network (see Figure 17). The probe allows you to create or update endpoints with their matched profile in the database. The Probe Configuration tab from the Edit Node page contains the configuration options that allow you to enable or disable the probes on each node.
Figure 18 Profiling Probes
The various probe types are as follows:
•
Cisco ISE Profiler implements Cisco IOS NetFlow Version 9, and also supports earlier versions beginning with version 5. The MAC address is not a part of IP flows in earlier versions of NetFlow, which requires you to profile endpoints with their IP addresses by correlating the attributes information for SNMP polling of network switches and routers for system, interface, bridge, 802.1X, routing, and IP information. This must be activated for all NAC implementations for network access devices (NADs) in the endpoints cache. Cisco IOS NetFlow version 5 packets do not contain MAC addresses of endpoints, and the attributes cannot be added to the database directly, which are collected from NetFlow version 5. You can discover endpoints by using their IP addresses, and appending the NetFlow version 5 attributes to endpoints, but these endpoints must be discovered before with the RADIUS, or SNMP probe. This can be done by combining the IP addresses of the network access devices and IP addresses obtained from the NetFlow version 5 attributes.
•
DHCP is an auto-configuration protocol that is used on IP networks for allocating IP addresses dynamically or statically. It provides reliability in several ways such as periodic renewal, rebinding, and failover in client-server communications. There are two versions of DHCP, one for IPv4, and one for IPv6. Although both versions are named DHCP and perform much the same purpose, the details of the DHCP protocol for IPv4 and IPv6 are sufficiently different that they can be considered as separate protocols. The network should be configured to forward DHCP requests directly to the Cisco ISE. This is commonly done by adding an additional ip-helper address to the first L3 boundary where DHCP requests are seen. The Profiler receives these DHCP packets and parses them to capture the attributes of an endpoint, which can be used for profiling endpoints.
•
A DHCP Switched Port Analyzer (SPAN) probe, when initialized on a Cisco ISE node, listens to network traffic coming from network access devices on a specific interface. You need to configure network access devices to forward DHCP SPAN packets to the Cisco ISE Profiler from the DHCP servers. The Profiler receives these DHCP SPAN packets and parses them to capture the attributes of an endpoint, which can be used for profiling endpoints.
You can create a profiler condition of DHCP type, where you can use the dhcp-requested-address attribute for profiling an endpoint. For a fully-qualified domain name (FQDN) lookup, the Domain Name System (DNS) probe extracts the source IP address from the dhcp-requested-address attribute, which is collected by the DHCP SPAN probe.
•
Hypertext Transfer Protocol (HTTP) is an Application layer protocol designed within the framework of the Internet Protocol Suite. It is a generic, stateless protocol that can be used in distributed object management systems beyond its use for hypertext. It functions as a request-response protocol, which is widely used for communications within distributed client-server architectures. A web browser is a client application (often called a user agent) that implements HTTP, originating an HTTP request message. When the web browser operates, it typically identifies itself, its application type, operating system, software vendor, and software revision by submitting a characteristic identification string to its operating peer. In HTTP, this is transmitted in an HTTP request-header field User-Agent.
The User-Agent is an attribute that can be used to create a profiler condition of IP type, and to check the web browser information. The Profiler captures the web browser information from the User-Agent attribute, as well as other HTTP attributes from the request messages, and adds them to the list of endpoint attributes. Cisco ISE provides many default profiles, which are built into the system to identify endpoints based on the User-Agent attribute.
•
Remote Authentication Dial In User Service (RADIUS) is an Application layer protocol used in client-server communication. It provides centralized AAA management for authentication and authorization of users or devices before granting them access to network services, and also accounting for usage of network services. It supports a variety of methods for user authentication by using username and password. RADIUS is an extensible protocol, where all the client-server transactions consist of variable length attribute-value pairs (AVPs). New attribute-value pairs can be added without disturbing existing implementations of the protocol. The attribute-value pairs carry data in both the RADIUS request and response messages for authentication, authorization, and accounting transactions.
A Network Access Server (NAS) functions as a client of RADIUS, which provides user credentials to a RADIUS server. The RADIUS server returns configuration information necessary for NAS to deliver requested services to the user. Cisco ISE can function as a RADIUS server, and as well as a RADIUS.
•
The DNS probe in your Cisco ISE deployment, when enabled, allows the Profiler to look up an endpoint, and get the FQDN of that endpoint. A DNS lookup tries to determine the endpoint's FQDN. Upon an endpoint detection on your Cisco ISE-enabled network, a list of endpoint attributes is collected from the NetFlow, DHCP, DHCP SPAN, HTTP, RADIUS, or SNMP probes. For a DNS lookup, one of the following probes must be started along with the DNS probe: DHCP, DHCP SPAN, HTTP, RADIUS, or SNMP.
Figure 19 illustrates the probe configuration in the ISE GUI.
Figure 19 Configuring Probes
SPAN
When using the DHCP SPAN probe, port mirroring is used on a network switch to send a copy of all L2 and L3 network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. The network monitoring connection is fed to the Cisco ISE, and DHCP information is parsed at the ISE to process only DHCP packets.
Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports reside in the same switch or switch stack. Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis. (See Figure 20.)
Figure 20 SPAN
Remote SPAN
Remote SPAN (RSPAN) can also be used to forward DHCP information to the Cisco ISE. RSPAN supports source ports, source VLANs, and destination ports on different switches (or different switch stacks), enabling remote monitoring of multiple switches across your network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port. (See Figure 21.)
Figure 21 Remote SPAN
SPAN/RSPAN Limitations
Traffic monitoring in a SPAN session has the following restrictions:
•
•
•
•
•
•
•
•
NetFlow
The Cisco ISE Profiler implements Cisco IOS NetFlow Version 9, and also supports earlier versions beginning with version 5. The MAC address is not a part of IP flows in earlier versions of NetFlow, which requires you to profile endpoints with their IP addresses by correlating the attributes information collected from the network access devices (NADs) in the endpoints cache. Cisco IOS NetFlow version 5 packets do not contain MAC addresses of endpoints, and the attributes cannot be added to the database directly, which are collected from NetFlow version 5. You can discover endpoints by using their IP addresses, and append the NetFlow version 5 attributes to endpoints, but these endpoints must be discovered before with the RADIUS or SNMP probe. This can be done by combining IP addresses of the network access devices and IP addresses obtained from the NetFlow version 5 attributes.
Cisco IOS NetFlow version 9 is a proprietary Cisco traffic monitoring technology that allows you to access to IP flows on your network and export IP flows from the NetFlow-enabled network access devices. The Cisco IOS software allows NetFlow to export IP flows by using the User Datagram Protocol (UDP), a non-congestion-aware protocol.
The basic output of NetFlow is a flow record, and the most recent evolution of the flow record format is NetFlow version 9. The distinguishing feature of NetFlow version 9 is that the flow record format is based on a template. The template describes the flow record format, and the attributes of the fields (such as type and length) within the flow record. The template provides flexibility, and it is extensible to the flow record format, a format that allows future enhancements to the NetFlow services without requiring concurrent changes to the basic output. It provides the versatility needed to support new fields, and also record types. The templates cannot be stored in network access devices, but refreshed every time from IP flows.
NetFlow version 9 attributes can be collected from the NetFlow-enabled network access devices to create an endpoint, or update an existing endpoint in the Cisco ISE database. Configure NetFlow version 9 to attach the source and destination MAC addresses of endpoints and update them. A dictionary of NetFlow attributes can be created to support NetFlow-based profiling.
Flexible NetFlow and IPFIX support user-defined flow keys. The router outputs a flow record when it determines that the flow is finished. It does this by flow aging: when the router sees new traffic for an existing flow, it resets the aging counter. Also, TCP session termination in a TCP flow causes the router to expire the flow. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing. In Flexible NetFlow (FNF), an administrator can actually define flow properties on the router.
For more information on the NetFlow Version 9, see the following URL: http://www.cisco.com/en/US/products/ps6645/products_ios_protocol_option_home.html
Collection Locations
For medical devices, the basic profiling attributes should be gathered using the following methods:
•
•
•
•
•
Figure 22 Collection Locations
Following are sample configurations to enable the router/switch components.
SNMP and MAC Notification Sample Configuration at Access Switch
snmp-server community cisco ROsnmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notificationsnmp-server host 172.28.200.35 cisco mac-notification snmp xxxxxxx RO!snmp-server community cisco ROsnmp-server community cisco123 RWsnmp-server trap link ietfsnmp-server enable traps snmp authentication linkdown linkup coldstart warmstartsnmp-server enable traps transceiver allsnmp-server enable traps ttysnmp-server enable traps eigrpsnmp-server enable traps licensesnmp-server enable traps clustersnmp-server enable traps fru-ctrlsnmp-server enable traps entitysnmp-server enable traps cpu thresholdsnmp-server enable traps power-ethernet group 1-9snmp-server enable traps power-ethernet policesnmp-server enable traps vtpsnmp-server enable traps vlancreatesnmp-server enable traps vlandeletesnmp-server enable traps flash insertion removalsnmp-server enable traps port-securitysnmp-server enable traps envmon fan shutdown supply temperature statussnmp-server enable traps stackwisesnmp-server enable traps config-copysnmp-server enable traps configsnmp-server enable traps event-managersnmp-server enable traps hsrpsnmp-server enable traps ipmulticastsnmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-messagesnmp-server enable traps bridge newroot topologychangesnmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistencysnmp-server enable traps syslogsnmp-server enable traps rtrsnmp-server enable traps mac-notification change move thresholdsnmp-server enable traps vlan-membershipsnmp-server enable traps errdisablesnmp-server host 172.28.200.45 cisco mac-notification snmpsnmp-server host 172.28.200.45 version 2c cisco123 mac-notification snmpsnmp ifmib ifindex persistNet Flow Sample Configuration at Distribution Router Configuration
6509-DIST-1#mls netflow interface!interface Vlan99ip address 99.99.99.1 255.255.255.0ip helper-address 172.28.200.45ip flow ingressip flow egressip pim sparse-dense-mode!interface Vlan120ip address 120.1.1.1 255.255.255.0ip flow ingressip flow egressip pim sparse-dense-mode!interface Vlan44ip address 44.44.44.1 255.255.255.0ip flow ingressip flow egressip pim sparse-dense-mode!ip flow-capture packet-lengthip flow-capture ttlip flow-capture vlan-idip flow-capture icmpip flow-capture mac-addressesip flow-export version 9ip flow-export destination 172.28.200.45 2055
NoteSPAN Port Sample Configuration at Upstream Switch, Where fa1/0/4 Connects to E2 of the ISE
!monitor session 1 source interface Fa1/0/1monitor session 1 destination interface Fa1/0/4 encapsulation replicateIdentity Matches
Figure 23 shows an example of identity matches based on configured attributes within the endpoint profiles. Note that the MAC addresses are displayed and used to track the endpoint within the Cisco ISE.
Figure 23 Discovered Endpoints Example
Details of the discovered endpoint are listed in Figure 24, and the specifics of the attribute list are displayed.
Figure 24 Detailed Endpoint Attributes
Strategies for Profiling Medical Devices
The Cisco ISE uses a number of mechanisms to establish and maintain the endpoint type and location (as documented in the "Identity Services Engine" section). These mechanisms are used to match the configured profiles:
•
•
•
•
•
•
A condition is a check on the Cisco ISE that maps a specific value to an attribute at first for an endpoint. If you map more than one attribute, you can logically group the conditions, which helps classify and categorize endpoints on the medical IT network. It is also possible to check endpoints against one or more such conditions with a corresponding certainty metric (an integer value that is defined by the network administrator) associated with it. The certainty metric for each condition contributes to the overall matching of the endpoint profiles into a specific category of endpoints. The certainty metric for all the valid conditions are added together to form the matching certainty. The certainty metric measures how each condition contributes improving the overall classification of endpoints on your network. For example, if you assign a certainty metric of 20 for Rule 1 and a certainty metric of 25 for Rule 2, and both rules are matched, the overall certainty factor will be 45 for the profile (20 + 25 = 45).
Compound conditions are made up of two or more simple conditions. You can create compound conditions as reusable objects from within the policy creation page or from the Conditions page.
Rules and conditions are configured as follows:
•
•
•
–
–
•
An exception action is a configurable action, which you can define in an endpoint profiling policy that is triggered when the exception conditions associated to the endpoint profile match.
The minimum certainty factor (CF) is the minimum value that is associated with the profiling policy. When the minimum CF is achieved, the device is identified under the profiling policy. If the minimum CF is not achieved, there is no match in the identities table.
Compound conditions are made up of two or more simple conditions. You can create compound conditions as reusable objects from within the policy creation page or from the Conditions page. The following steps detail how to create multirules (or compound conditions).
1.
Assign certainty factor value at less than 20
2.
Assign certainty factor value at 5
3.
Assign certainty factor value at 5
4.
Assign certainty factor value at 5
Next, create a profile minimum certainty value of 25 where values at or over 25 will be matched. This imposes a match of Rule1 PLUS any other rules (Rules 2 or Rule 3 or Rule 4).
For more details on Profiling, see the following URL: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_task_navs.html#wp1108371
Figure 25 illustrates this concept as applied to a profile.
Figure 25 Profile Example
Access Control and Authorization Policies
Authorization policies are a component of the Cisco ISE network authorization service that allows you to define authorization policies and configure authorization profiles for specific users and groups of users that access your network resources.
Network authorization policies associate rules with specific user and group identities to create the corresponding profiles. Whenever these rules match the configured attributes, the corresponding authorization profile that grants permission is returned by the policy, network access is authorized accordingly.
Authorization policies can contain conditional requirements that combine one or more identity groups using a compound condition that includes authorization checks that can return one or more authorization profiles. In addition, conditional requirements can exist apart from the use of a specific identity group (such as in using the default "Any"). Cisco ISE is an attribute-based policy system, with identity groups being one of the many important attributes.
Policies are applied via the reauthorization process using the Change of Authorization (CoA) RADIUS attribute. CoA is triggered in the endpoint profiling scenarios, which allows the Cisco ISE to actively enforce policies to connected endpoints. The CoA command types are Port Bounce and Re-authenticate.
The following predefined scenarios trigger a CoA.
•
•
•
CoA may be triggered dynamically when a configurable exception-action is matched.
Note the following CoA exemptions:
•
•
Cisco ISE allows a global configuration to issue a CoA for endpoints that are already authenticated to enter your network. The global configuration of CoA in Cisco ISE enables the profiler service with more control over endpoints. You can use the global configuration option to disable CoA by using the default No CoA option or enable CoA by using the Reauth and Port Bounce options.
The RADIUS probe or the monitoring persona REST API can be used to address the authentication of endpoints. For performance reasons, you can enable the RADIUS probe, which allows faster performance. Using the monitoring persona REST API to issue the CoA allows the profiler service to support a wider range of endpoints without requiring the support of the RADIUS probe. This allows you to send the RADIUS CoA requests to the network access device (NAD), even when the profiler RADIUS probe is disabled.
The following CoA options are available (see Figure 26):
•
This default option is used to disable the global configuration of CoA.
•
This option is used only if there is one session on a switch port. If the port exists with multiple sessions, the CoA option that is used is the Reauth option.
•
This option is used to enforce reauthentication of an already authenticated endpoint when profiled. If multiple sessions on a single port exist, the profiler service issues a CoA with the reauth option even if the CoA is configured with the Port Bounce option. This function potentially avoids disconnecting other sessions, as might occur with the Port Bounce option.
Figure 26 CoA Types
The profiler service implements the CoA in the following cases:
•
The profiler service issues a CoA, if you have an existing endpoint successfully authenticated already on your network that is now statically assigned to a different profile or a different endpoint identity group and the endpoint profiling policy has changed
•
The profiler service issues a CoA that requires reauthentication of an endpoint, if an exception condition and an exception action configured per profile leads to an unusual or an unacceptable event from an endpoint. The profiler service profiles such endpoints to a specific identity group that require reauthentication of endpoints.
•
The profiler service issues a CoA that requires reauthentication of an endpoint when an endpoint on your network has failed authentication but is matched for the first time to a known profile.
For example, an IP phone in an open mode that fails 802.1X authentication is profiled to a IP phone profile but the CoA is configured to reauthentication of the endpoint.
•
The profiler service issues a CoA when an endpoint is deleted from the Endpoints page, and the endpoint is most likely disconnected or removed from the network.
VLAN changes or the application of a dynamic access control list (DACL) can be applied when a profile is matched and identity is determined. The authorization profile is created to define the access change.
An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request, and can include the following:
•
•
•
•
•
Figure 27 shows the screen to create the authorization policy.
Figure 27 Authorization Policy
The following commands are used on the access switch to enable RADIUS for authorization policies.
aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radiusaaa authorization auth-proxy default group radiusaaa accounting dot1x default start-stop group radius!aaa session-id common!radius-server dead-criteria time 5 tries 3radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server host 172.28.200.45 auth-port 1812 acct-port 1813 test username test-radius key cisco123radius-server source-ports 1645-1646radius-server vsa send accountingradius-server vsa send authenticationEnabling Switch to Support Standard Web Authentication
Ensure that you include the following command lines in your switch configuration to enable standard web authenticating functions for the Cisco ISE, including provisions for URL redirection upon authentication:
ip classlessip route 0.0.0.0 0.0.0.0 10.1.2.3ip http server! Must enable HTTP/HTTPS for URL-redirection on port 80/443ip http secure-serverDefining a Local User Name and Password for Synthetic RADIUS Transactions
Use this function to enable the switch to talk to the Cisco ISE node as though it is the RADIUS server for this network segment:
username test-radius password 0 cisco123Setting the NTP Server to Ensure Accurate Log and Accounting Timestamps
Be sure to specify the same NTP server as is set in Cisco ISE at Administration > System > Settings > System Time:
ntp server <IP_address>|<domain_name>Enabling AAA Functions
Use the following command lines to enable the various AAA functions between the switch and Cisco ISE, including 802.1X and MAB authentication functions:
aaa new-model! Creates an 802.1X port-based authentication method listaaa authentication dot1x default group radius! Required for VLAN/ACL assignmentaaa authorization network default group radius! Authentication & authorization for webauth transactionsaaa authorization auth-proxy default group radius! Enables accounting for 802.1X and MAB authenticationsaaa accounting dot1x default start-stop group radius!aaa session-id common!aaa accounting update periodic 5! Update AAA accounting information periodically every 5 minutesaaa accounting system default start-stop group radius!aaa server radius dynamic-author <cr>client 10.0.56.17 server-key cisco! Enables ISE to act as a AAA server when interacting with the client at IP address10.0.56.17Configuring RADIUS Servers
Configure the switch to interoperate with Cisco ISE acting as the RADIUS source server:
!radius-server attribute 6 on-for-login-auth! Include RADIUS attribute 8 in every Access-Requestradius-server attribute 8 include-in-access-req! Include RADIUS attribute 25 in every Access-Requestradius-server attribute 25 access-request include! Wait 3 x 30 seconds before marking RADIUS server as deadradius-server dead-criteria time 30 tries 3!! Use RFC-standard ports (1812/1813)radius-server host <Cisco_ISE_IP_address> auth-port 1812 acct-port 1813 test usernametest-radius key 0 <RADIUS-KEY>!radius-server vsa send accountingradius-server vsa send authentication!! send RADIUS requests from the MANAGEMENT VLANip radius source-interface <VLAN_number>Enabling RADIUS Change of Authorization
Specify the settings here to ensure that the switch is able to appropriately handle RADIUS CoA behavior supporting posture functions from the Cisco ISE:
aaa server radius dynamic-authorclient <ISE-IP> server-key 0 cisco123Enabling Device Tracking and DHCP Snooping
To help provide optional security-oriented functions from the Cisco ISE, you can enable device tracking and DHCP snooping for IP substitution in DACLs on switch ports:
! Optionalip dhcp snooping! Required!ip device trackingEnabling 802.1X Port-Based Authentication
The following command line turns 802.1X authentication on for switch ports, globally:
dot1x system-auth-controlUsing EAP for Critical Authentications
To support supplicant authentication requests over the LAN, enable EAP for critical authentications (Inaccessible Authentication Bypass):
dot1x critical eapolThrottling AAA Requests Using Recovery Delay
When a critical authentication recovery event takes place, you can configure the switch to automatically introduce a delay (in seconds) to ensure Cisco ISE is able to launch services again following recovery:
authentication critical recovery delay 120Defining VLANs Based on Enforcement States
Use the following command lines to define the VLAN names, numbers, and SVIs based on known enforcement states in your network. Create the respective VLAN interfaces to enable routing between networks. This can be especially helpful to handle multiple sources of traffic passing over the same network segments—traffic from both PCs and the IP phone through which the PC is connected to the network, for example.
vlan <VLAN_number>name ACCESS!vlan <VLAN_number>name MEDICAL_DEVICE!interface <VLAN_number>description ACCESSip address 10.1.2.3 255.255.255.0ip helper-address <DHCP_Server_IP_address>ip helper-address <Cisco_ISE_IP_address>!interface <VLAN_number>description VOICEip address 10.2.3.4 255.255.255.0ip helper-address <DHCP_Server_IP_address>ip helper-address <Cisco_ISE_IP_address>Defining Local (Default) ACLs on the Switch
Enable the following functions on older switches (with Cisco IOS Software releases earlier than 12.2(55)SE) to ensure that the Cisco ISE is able to perform the DACL updates required for authentication and authorization:
ip access-list extended ACL-ALLOWpermit ip any any!ip access-list extended ACL-DEFAULTremark DHCPpermit udp any eq bootpc any eq bootpsremark DNSpermit udp any any eq domainremark Pingpermit icmp any anyremark Pingpermit icmp any anyremark PXE / TFTPpermit udp any any eq tftpremark Allow HTTP/S to ISE and WebAuth portalpermit tcp any host <Cisco_ISE_IP_address> eq wwwpermit tcp any host <Cisco_ISE_IP_address> eq 443permit tcp any host <Cisco_ISE_IP_address> eq 8443remark Drop all the restdeny ip any any log!! The ACL to allow URL-redirection for WebAuthip access-list extended ACL-WEBAUTH-REDIRECTdeny ip any host <Cisco_ISE_IP_address>permit ip any anyEnabling MAC Notification Traps for Profiler to Collect
Configure your switch to transmit the appropriate MAC notification traps so that the Cisco ISE Profiler function is able to collect information on network endpoints:
mac address-table notification changemac address-table notification mac-movesnmp trap mac-notification change addedsnmp trap mac-notification change removedFor more information on Network Access Devices and switch configurations, see the following URL: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html
VLAN Change
As devices connect to the network, the Cisco BioMed NAC 2.0 solution follows a specific process to enforce network authorization policies. The ISE performs RADIUS CoA commands to the relevant access switch dynamically, and changes the VLAN configuration of the particular switchport. For example, if access control is granted based on an endpoint profile match, the ISE sets the particular switch port to be a member of the proper medical device VLAN.
If there is no medical device profile match, the ISE assigns the port to an authentication VLAN, and no access is granted to the medical VLAN.
Dynamic ACL Change
An access control list (ACL) on the Cisco ISE system is a list of permissions attached to a specific object or network resource. An ACL specifies which users or groups are granted access to an object, as well as what operations are allowed on a given object or network resource. Each entry in a typical ACL specifies a subject and an operation, or provides the state (for example, permit or deny). A dynamic ACL (DACL) represents an ACL that is dynamically downloaded to the Cisco Ethernet switch. For information on configuring the authorization policy in the Cisco ISE, see the "Implementing the Cisco BioMed NAC 2.0 Solution" section.
Security Group ACL Change
Security Groups and SGTs
The Cisco TrustSec Security Group Access (SGA) architecture builds secure networks by establishing a domain of trusted network devices. Every device in the SGA domain is authenticated by its peer device. Communication on the links between devices in the SGA domain is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms. SGA also uses the device and user identity information acquired during authentication to classify the packets as they enter the network. This packet classification is maintained by tagging packets on ingress to the SGA-based network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path.
A security group is a grouping of users, endpoint devices, and resources that share access control policies.
The tag, also called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
NoteSecurity Group ACL Policies
Using security group access control lists (SGACLs), you can control the operations that users can perform based on the security group assignments of users and destination resources. Policy enforcement within the Cisco TrustSec domain is represented by a permissions matrix, with source security group numbers on one axis and destination security group numbers on the other axis. Each cell in the body of the matrix can contain an ordered list of SGACLs that specifies the permissions that should be applied to packets originating from the source security group and destined for the destination security group.
Figure 28 shows an example of a Cisco TrustSec permissions matrix for a simple domain with three defined user roles and one defined destination resource. Three SGACL policies control access to the destination server based on the role of the user.
Figure 28 SGACL Policy Matrix Example
To start the process where you can display, create, modify, or delete policy element permissions for SGACLs, you need to locate their respective navigation panes in the Cisco ISE user interface.
Figure 29 shows an example of the use of SGACLs.
Figure 29 Using SGACLs
Visibility and Reports
The Cisco ISE dashboard (Home) is the landing page that appears after you log into the Cisco ISE administration console. The dashboard is a centralized management console consisting of metric meters along the top of the window, with dashlets below. (See Figure 30.)
Figure 30 Cisco ISE Dashboard
The Profiled Endpoint dashlet focuses on the endpoints on the network that have matched profiles, providing profile data for each endpoint. For example, the statistics allow you to determine the type of device, its location, and its IP address. The sparklines along the top of the dashlet represent endpoint activity over the last 24 hours and last 60 minutes.
You can expand the following data categories for more information (see Figure 31):
•
•
•
Figure 31 Profiled Endpoints
Details of the discovered endpoints are listed individually, as shown in Figure 32.
Figure 32 Information Gathered on the Endpoint
The Cisco ISE collects log and configuration data from across your network, and it then aggregates the collected data into reports for further analysis. Furthermore, the Cisco ISE provides a standard set of predefined reports that can be used and customized to fit specific needs.
The reports are grouped into logical categories for information related to authentication, session traffic, device administration, configuration and administration, and troubleshooting
You can view, run, and customize report data using Reports View and Interactive Viewer for all types of reports.
The Reports View displays lists of catalog or favorites reports, allows you to run reports, view results, export data, and print information. For more information on Reports, see the following URL: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_report.html.
The Cisco Prime Network Control System (NCS) is a management platform that delivers converged user, access, and identity management with complete visibility into endpoint connectivity. Prime NCS can be integrated with Cisco ISE to deliver visibility into compliance based on real-time contextual information from the network, users, and devices across the wired and wireless access network. For more information on Cisco Prime NCS, see the following URL: http://www.cisco.com/en/US/products/ps11686/index.html.
Flows
Wired Flow
For wired medical devices, the following events are relevant in the identity process and the auto-provisioning events. Figure 33 illustrates the sequence of events that occur after a device is attached to the access switch.
Figure 33 Wired Devices Flow
1.
2.
3.
4.
5.
Wireless Flow
For wireless medical devices, the following events are relevant in the identity process and the auto-provisioning events. Figure 34 illustrates the sequence of events that occur after a device is connected to an access point.
Figure 34 Wireless Devices Flow
1.
2.
3.
NoteFigure 35 Information Gathered at the Endpoint
4.
5.
Wireless Flow with 802.1X
For wireless medical devices that support 802.1X, the following events are relevant in the identity process and the auto-provisioning events. Figure 36 illustrates the sequence of events that occur after a device is connected to an access point.
Figure 36 Wireless 802.1X Flow
1.
2.
3.
Note4.
Figure 37 802.1X Attribute Details
Vendor Profiles
The information in this section is provided for the purposes of examples only. Organizations must verify that the profiles being implemented are functioning before putting the system into production, and ideally before the initial rollout of testing.
Philips IntelliVue Patient Monitor—MP30
Table 8 lists the vendor profile information for the Philips IntelliVue Patient Monitor (MP30).
Dräger—Infinity Delta Bedside
Table 9 lists the vendor profile information for the Dräger Delta Patient Monitor.
Dräger—Infinity M300 Patient-worn Monitor
Table 10 lists the vendor profile information for the Dräger Infinity M300 Patient Monitor.
CareFusion Alaris IV Pump—Ambicom Wireless Card
Table 11 lists the vendor profile information for the CareFusion Alaris IV Pump Ambicom Wireless Card.
CareFusion Alaris IV Pump—Motorola Wireless Card
Table 12 lists the vendor profile information for the CareFusion Alaris IV Pump Motorola Wireless Card.
Implementing the Cisco BioMed NAC 2.0 Solution
Basic Pre-Planning Considerations
•
–
–
–
•
–
–
•
–
•
–
–
•
–
For further implementation details, see the ISE User Guide, Chapter 3 "Cisco ISE Task Navigator‡ Setup" at the following URL: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_task_navs.html#wp1107247
Basic Implementation Steps
Complete the following steps.
Procedure
Step 1
Step 2
NoteStep 3
a.
b.
c.
Figure 38 Adding Devices
d.
e.
Figure 39 Authentication Settings and SNMP Settings
f.
g.
Figure 40 Displaying Network Devices
The following is a sample configuration of SNMP and MAC notification on the access switch:
snmp-server community cisco ROsnmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notificationsnmp-server host 172.28.200.35 cisco mac-notification snmp xxxxxxx RO!snmp-server community cisco ROsnmp-server community cisco123 RWsnmp-server trap link ietfsnmp-server enable traps snmp authentication linkdown linkup coldstart warmstartsnmp-server enable traps transceiver allsnmp-server enable traps ttysnmp-server enable traps eigrpsnmp-server enable traps licensesnmp-server enable traps clustersnmp-server enable traps fru-ctrlsnmp-server enable traps entitysnmp-server enable traps cpu thresholdsnmp-server enable traps power-ethernet group 1-9snmp-server enable traps power-ethernet policesnmp-server enable traps vtpsnmp-server enable traps vlancreatesnmp-server enable traps vlandeletesnmp-server enable traps flash insertion removalsnmp-server enable traps port-securitysnmp-server enable traps envmon fan shutdown supply temperature statussnmp-server enable traps stackwisesnmp-server enable traps config-copysnmp-server enable traps configsnmp-server enable traps event-managersnmp-server enable traps hsrpsnmp-server enable traps ipmulticastsnmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-messagesnmp-server enable traps bridge newroot topologychangesnmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistencysnmp-server enable traps syslogsnmp-server enable traps rtrsnmp-server enable traps mac-notification change move thresholdsnmp-server enable traps vlan-membershipsnmp-server enable traps errdisablesnmp-server host 172.28.200.45 cisco mac-notification snmpsnmp-server host 172.28.200.45 version 2c cisco123 mac-notification snmpsnmp ifmib ifindex persistStep 4
a.
Figure 41 Deployment Nodes
b.
Figure 42 Editing Nodes
c.
Figure 43 Probe Config
Step 5
a.
Figure 44 Endpoint Policies
b.
c.
Figure 45 Creating a Profile
d.
e.
f.
For details on rule creation, see the following URL: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_user_guide.html
Step 6
a.
b.
c.
d.
Figure 46 Assigning Authorization
e.
f.
In the example shown in Figure 47, Draeger Delta is selected from the Profiled Endpoints menu.
Figure 47 Selecting Profiled Endpoints
g.
h.
i.
j.
k.
Figure 48 Authorization
l.
m.
n.
Figure 49 Assigning a VLAN
o.
p.
q.
r.
s.
Figure 50 Re-assigning Permission
Step 7
a.
b.
c.
Figure 51 Creating DACLs
d.
e.
f.
Step 8
Figure 52 DACLs Management
Step 9
Figure 53 Authorization Profiles
a.
b.
c.
d.
e.
802.1X-Enabled Medical Devices
Although many devices such as laptops and mobile devices support 802.1X devices, wireless medical device support for 802.1X has not been fully adopted across the industry. Some manufacturers are now beginning to support 802.1X in wireless modes. With the support of 802.1X, several benefits are possible.
•
•
–
–
NoteThe Cisco ISE can act as RADIUS server and support certificates, as shown in Figure 54.
Figure 54 Certificate Authority Certificates
Quality of Service
Table 13 shows the desired markings of quality of service (QoS) for packets that originate from the various endpoint sources, NAC appliance devices, and central stations. The goal of this suggested QoS packet marking is to stay in compliance with the campus QoS and Unified Communications best-practice design guides. The desired markings for the identified and marked data packets are elevated in priority because these data flows are often critical in the healthcare environment.
Packet Marking
The markings of these packets may occur at various locations. Some applications may or may not have the ability for marking. Table 14 illustrates the packet marking design for this solution.
End-to-End QoS
For this solution, QoS will be configured for all Layer 3 capable switch and router interfaces. The main Place-in-the-Network for this solution is the Campus network. The remainder of the Campus design will follow the design recommendations of the QoS SRND for Campus and Data Center.
Cisco ISE APIs
The Cisco ISE Release 1.0 supports three categories of representation state transfer (REST) APIs and related API calls to gather session and node-specific information about monitoring and troubleshooting nodes in your network. The supported categories of REST APIs that are available to users in Cisco ISE Release 1.0 are as follows:
•
–
–
•
You can use only these supported REST API categories to gather information about endpoints being monitored by monitoring and troubleshooting nodes in your Cisco ISE Release 1.0 network. Any attempt to use these APIs to gather information about the Policy Service persona of an ISE appliance in a Cisco ISE network will result in an error. For more information about ISE nodes and personas, see the Cisco Identity Services Engine User Guide, Release 1.0. at the following URL: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_user_guide.html
Use the API calls to gather important real-time session-based information stored in individual endpoints in your network that you can access that are monitored by Cisco ISE monitoring and troubleshooting nodes. The API calls let you locate, monitor, and accumulate session-based information that can prove useful to understand its operation, assist in diagnosing conditions or issues, or used to troubleshoot error conditions or activity or behavior that you suspect may be affecting your monitoring and troubleshooting operations.
Redundancy and Reliability Subsystem
Certain components of the overall solution may be capable of providing high availability (HA) services.
The Cisco Validated Design (CVD) testing includes the validation of the points of direct integration between the patient monitors, access switches, routing, and NAC appliance devices. There will be a complete test of all of the functions unique to the solution.
The solution conforms to the best practices for core, distribution, and access layers. The following Cisco CVDs are therefore used as a reference, and can be found at http://www.cisco.com/go/designzone:
•
•
Figure 55 shows a sample campus layout.
Figure 55 Campus Layout
Network Core
The core is designed with L3 full mesh connectivity to the distribution layer, preventing L2 loops from occurring. Only hardware-based forwarding is permitted in the core to provide the highest possible wire rate service possible.
Because the core is L3 between the distribution layers, the resulting size of the Spanning Tree domain is contained to within the switches that comprise the network core. Through the use of a routing protocol between the core and distribution layer, equal cost load balancing is employed to provide both additional bandwidth and redundancy.
Distribution Layer
The distribution layer consists of a number of dual-connected switches that have full mesh L3 connectivity back to the core, and typically full mesh L2 connectivity to the access layer switches for the access layer(s) to which they support.
No single point of failure exists within the network layer. In addition, rapid convergence around a failure is achieved through optimized L3 routing protocols and Rapid PVST+ spanning tree for L2 connections.
Through the use of Gateway Load Balancing Protocol (GLBP), Hot Standby Redundancy Protocol (HSRP), and Virtual Router Redundancy Protocol (VRRP), an environment that fosters load sharing and high availability is achieved.
Access Layer
The access layer can be built as an L2 or L3 design. Through the use of an L3 design, all links are load balanced and optimized for rapid network convergence. In L2 designs, the use of Rapid PVST+ spanning tree provides loop-free L2 connectivity with the advantage of rapid convergence in the event that there is a failure.
Redundancy for single-homed hosts is not supported. Instead, this solution relies on redundant hosts connected to different switch fabrics.
Identity Services Engine Redundancy
A Cisco ISE distributed deployment consists of one primary Administration ISE node and multiple secondary nodes. Each ISE node in a deployment can assume any of the following personas: Administration, Policy Service, and Monitoring.
When you register an ISE node as a secondary node, Cisco ISE immediately creates a database link from the primary to the secondary node and begins the process of replication. Replication is the process of sharing ISE configuration data from the primary to the secondary nodes. Replication ensures consistency among the configuration data present in all the ISE nodes that are part of your deployment.
A full replication typically occurs when you first register an ISE node as a secondary node. An incremental replication occurs after a full replication, and ensures that any new changes such as additions, modifications, or deletions to the configuration data in the primary Administration ISE node are reflected in the secondary nodes. The process of replication ensures that all ISE nodes in a deployment are in sync. You can view the status of replication from the deployment pages of the ISE administrative user interface.
Cisco ISE allows you to have a maximum of two Administration ISE nodes in your deployment, for high availability. To create a high availability pair, you configure one Administration ISE node as primary active and the other Administration ISE node as secondary standby.
In a high availability configuration, the primary Administration ISE node is in the active state to which all configuration changes are made. The secondary Administration ISE node is in the standby state, and receives all configuration updates from the primary Administration ISE node. Therefore, it always has a complete copy of the configuration from the primary Administration ISE node.
When the primary Administration ISE node becomes unavailable, you must log into the secondary Administration ISE node and promote it to become the primary Administration ISE node. There is no automatic failover for the Administration ISE node.
For information of ISE High Reliability, see the following URL: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1128454
References
•
•
•
•
•
