Introduction

One of the largest high school districts in the country worked with Fortis and Sentinel to implement basic Network Admission Control services using Cisco Identity Services Engine (ISE) and a next-generation firewall (NGFW). These basic services included network device authentication (AAA), 802.1x/RADIUS authentication for Cisco wireless networks, a guest wireless portal and sponsor portal for the personal devices of students and staff, Cisco Umbrella with DNS-layer security, and remote access authentication using the Cisco AnyConnect Secure Mobility VPN Client.

The district had a myriad of different devices and users accessing their networks via switches, wireless access points, and VPN’s. They were looking to implement a 1 to 1 solution for all devices and provide secure access for all 30,000 students and staff within the district network.  They wanted to use Cisco ISE features to consolidate access policies across the district, while increasing security for both on premise and remote students/staff.

Cisco ISE enables organizations to set policies for controlling access to corporate network infrastructure through the use of contextual information such as device type, endpoint configuration (posture), location, media access control address, user role or user identity, and more. This contextual information is then used to establish post-connect controls on endpoints such as laptops, workstations, mobile phones, tablets, printers, cameras, and Internet of Things (IoT) devices.

Key features of Cisco ISE include (but are not limited to) the following:

• Centralized Management – administrators can centrally configure and manage user profiles, posture, guests, authentication, and authorization services in a single web-based GUI console.
• Contextual Identity and Business Policy - a rule-based, attribute-driven policy model for flexible and business-relevant access control policies. Includes attributes such as user and endpoint identity, posture validation, authentication protocols, device identity, and other external information.
• Access Control - a range of access control options, including downloadable Access Control Lists (dACLs), virtual LAN (VLAN) assignments, URL redirections, named ACLs, and security group ACLs
• AAA Services – standard RADIUS protocols for Authentication, Authorization, and Accounting. Supports a wide range of authentication protocols, including but not limited to PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible, Authentication via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and EAP-Tunneled Transport Layer Security (TTLS).
• Internal Certificate Authority – an internal certificate authority. Provides a single console to manage endpoints and certificates.
• Device Discovery and Profiling – determines device type, device manufacturer and operating system information by inspecting packets that are sent by these devices in the network.
• Endpoint Posture Service – endpoint compliance security posture checks to determine OS versioning and patch level, anti-virus/endpoint protection version, and OS updates.
• Guest Lifecycle Management – a streamlined experience for implementing and customizing guest network access. Support is built in for hotspot, sponsored, self-service, and other guest access options.
• Security Product Integration – bi-directional integration with other security products.

Strategy / Approach

The rapid increase in the number of bring your own devices, guest access requirements, vendor access requirements, and IoT devices has significantly expanded the overall threat vector. This has fueled the demand for NAC products in medium-to-large organizations and is used to help them mitigate the greater risk. The effectiveness of NAC products has also grown through the integration with next-generation firewalls, threat detection software, endpoint protection software, SIEM, and mobile device management software.

The design and rollout of NAC products such as Cisco ISE can be a daunting task considering that the implementation of NAC technology touches virtually every element of a network, including switching, firewalls, endpoint protection, PKI, and user directory. Moreover, larger enterprise networks have significantly more devices and networks to secure. Because of these challenges, Fortis worked with the client and their network security staff to design and implement these new ISE features in a multi-phased approach. This multi-phased approach allowed the school district and Fortis to work through any Cisco ISE implementation-related issues and tuning before moving on to the next phase.

Resolution

At a high level, Fortis broke this engagement up into three separate phases, as follows:

Phase I: Cisco ISE Software Install – During this phase, the district’s ISE nodes were installed by Fortis.

The distributed deployment consisted of (9) Cisco Identity Services Engine nodes running as Virtual Machines in the district’s existing Hyper-V Virtualization environment. The Cisco ISE nodes and personas included the following:

• (9) ISE Policy Service Nodes
• (2) Primary ISE Administration Nodes
• (2) Primary ISE Monitoring Nodes

Phase II: Discovery and Wireless True-up – During this phase, an overall access and security policy was developed jointly with the school district and Fortis. Adjustments to consolidate the wireless access policies were made in accordance with the overall agreed-upon access policy and design.

Phase III: VPN Authorization and Client Posturing – During this phase, VPN authorization was added to leverage the existing Cisco ISE implementation. This modified policy included device posturing to ensure endpoints had appropriate characteristics such as antivirus/anti-malware, OS versions, etc.

Conclusion

As a result of this project, the district increased security for all on premise and remote users across their network by implementing consolidated, enterprise-wide access policies.