1. 2014: Cisco : 14 2014 serg.kucherenko@getccna.ru

2. :

3. PC Laptop Web Web PC, Laptop BYOD MDM , push , ,

4. : Cisco ISR G2 IOS 15.3(2)T1 . OS : User Based Firewall Transparent ZBF ScanSafe Connector LDAP Server in AAA Cisco Wireless LAN Controller 5.0.148.0 ISR WLC ISM-SRE-300 7.4.110.0 : WEB Passthrough Authentication 802.1X Authentication/Authorization

5. (): Microsoft Windows Server Windows Server 2008 R2 64-bit : Active Directory DNS- (NPS) Active Directory Meraki Systems Manager Mobile Device Manager, . : Push 802.1x

6. // .10 .2 Vlan 95 SF_Mng 192.168.95.0/24 .2 Vlan 96 SF_Open 192.168.96.0/24 .1 .2 Vlan 97 SF_Sales192.168.97.0/24 .1 .2 Vlan 98 SF_TR 192.168.98.0/24 .1 Vlan 50 SF_Data 192.168.32.0/24 .4 .1 G0/0.130 SF_SRV 192.168.30.0/24 G0/0.50 SF_Mng 192.168.95.0/24 SF_Open .4 G0/0.50 SF_Data 192.168.32.0/24 Vlan 95 SF_Mng MNG zone Vlan 50 SF_Data IN zone Vlan 96 SF_Open GUEST zone Vlan 97 SF_Sales SALES_WF zone Vlan 98 SF_TR TR_WF zone Vlan 30 SF_SRV SRV zone G0/2 OUT zone G0/2 Internet G0/0 Sales Resources .20 .10 SF_Corp Trainer Resources Pair Pair Pair Pair Pair Pair Pair Pair Pair Pair Pair Pair IN_OUT IN_SRV OUT_SRV GUEST_OUT SLAES_WF_SRV TR_WF_SRV MNG_MNG IN_IN SLAES_WF_OUT TR_WF_OUT SLAES_WF_IN TR_WF_IN

7. : 1. User Based Firewall 2. ScnaSafe Connector 3. WLC Setup 4. MS Network Policy Server setup 5. Meraki Systems Manager setup

8. 1. User Based Firewall match class-map type inspect user-group user-group Authentication Proxy. Authentication Proxy (Admission) . : Telnet telnet , username/password. . FTP FTP HTTP http https http authentication proxy :

9. HTTP : 1. HTTP Basic virtual-proxy browser . ip http secure-server login/password . secure-server https. : : Certificate Authority : Local/Radius/LDAP

10. 2. NTLMSSP virtual-proxy, NTLM enabled browser (IE/Mozilla/Chrome). username/password *. Credentials , Hash . hash . NTLMSSP : Internet Explorer IP/FQDN Virtual-proxy trusted-sites Firefox Virtual-Proxy IP name * - Windows, Domain, : LDAP ( MS AD)

11. : local ( User Based ZBF ) radius Radius server (Cisco ACS/Cisco ISE/Microsoft NPS/) Vendor Specific AV Pair supplicant-group= ldap ldap . ldap memberOF= IOS memberOF= supplicant-group= default attribute map

12. ? IP Admission Rule AAA Rule RADIUS Authentication Request HTTP Request HTTP Redirect to Virtual Proxy IP IF NTLM with HASH request HTTP Request Virtual Proxy IP IF NTLM with HASH Authentication Request class-map type inspect match usergroup Authentication Response Cisco AV Pair supplicant-group= policy-map type inspect class type inspect inspect Authentication Request zone-pair security LDAP Authentication Response HTTP Basic Attribute Map Authentication Response memberOF=

13. User Based Firewall: 1. a) RADIUS MS IOS b) LDAP MS IOS c) Microsoft NAP Radius 2. AAA authentication-proxy 3. authentication-proxy a) / / / AAA/Virtual IP/Virtual FQDN b) c) authentication-proxy 4. ZBF Group-Info 5.

14. User Based Firewall b) LDAP MS IOS LDAP server R1(config)#ldap server name name , FQDN R1(config-ldap-server)#ipv4 address R1(config-ldap-server)# transport port port (3268 default for MS) R1(config-ldap-server)#base-dn dn-name dn-name , R1(config-ldap-server)# bind authenticate root-dn username-dn password password username-dn DN Router, search/read/lookup,

15. R1(config-ldap-server)# authentication bind-first ( bind) AAA server-group R1(config)#aaa group server ldap name name , ldap aaa group server ldap, , / R1(config-ldap-sg)#server ldap server name

16. 2. AAA authentication-proxy AAA Framework R1(config)#aaa new-model (Telnet/SSH/HTTP) . enable secret : R1(config)#enable secret password R1(config)#username name secret password R1(config)#aaa authentication login list name group {radius|ldap grup name} list name , authentication-proxy {radius|ldap grup name} Radius radius , ldap 1.b) aaa group server ldap LDAP_GR

17. R1(config)#aaa authorization network list name group {radius|ldap grup name} login list name , authentication-proxy {radius|ldap grup name} Radius radius , ldap 1 b) aaa group server ldap LDAP_GR 3. authentication-proxy a) / / / AAA/Virtual IP/Virtual FQDN extended ACL deny (ex: AD/DNS )

18. R1(config)#ip admission name auth-proxy name proxy {http|telnet|ftp} list ACL name auth-proxy name authentication-proxy, . . {http|telnet|ftp} ACL name ACL HTTP R1(config)#ip admission name auth-proxy name {http-basic|ntlm} R1(config)#ip admission name auth-proxy name order {http-basic|ntlm} . .

19. Virtual IP/Virtual FQDN R1(config)#ip admission virtual-ip ip virtual-host name ip IP address (ex:1.1.1.1), , name , FQDN (ex:isr-proxy), . DNS A virtual IP. name . AAA R1(config)# ip admission name name method-list authentication list name authorization list name 2.

20. b) Auth-proxy : Inactivity Timer (def=60 min) Absolute Timer (def=0 .. ) : Global ip admission rules Per-rule ip admission rules name

21. c) Authentication proxy : R1(config)#interface type number R1(config-subif)#ip admission name name authentication proxy 4. ZBF Group-Info class-map type inspect match-all class-map match user-group, match class-map (match-any) , match access-group IP Note: .. auth-proxy IP match user-group policy-map type inspect

22. 5. : R1#test aaa group radius username password legacy R1#tes aaa group ldap group username password new-code debug: R1#debug radius R1#debug ldap all auth-proxy: R1#sh ip admission cache Cache: R1#clear ip admission cache {*|username} R1#sh ip admission cache username user

23. 2. ScnaSafe Connector ScanSafe Web Cisco : URL Filtering / URL (Social Networks/News/). / File Filtering / . Application Filtering Web based (ex: Facebook Facebook ) Antimalware

24. ISR ScanSafe Cisco ScanSafe Connector. HTTP/HTTPS . username/group . . : ISR default group. group ISR . ISR username/group. http/https : HTTP Basic NTLM

25. ? IP Admission Rule AAA Rule HTTP Request vk.com HTTP Redirect to Virtual Proxy IP IF NTLM with HASH request Authentication Request HTTP Request Virtual Proxy IP IF NTLM with HASH Attribute Map Authentication Request Authentication Response HTTP Request vk.com LDAP://Boss HTTP Basic HTTP Request vk.com HTTP Response vk.com Content Scan Access Policy Antimalware Scan Authentication Response memberOF=Boss LDAP

26. IOS ScanSafe Connector: 1. 2. Parameter-Map Content Scan 3. 4. AAA authentication-proxy 5. authentication-proxy a) / / / AAA/Virtual IP/Virtual FQDN b) c) authentication-proxy 6. User-Group 7. Content Scan 8. 9.

27. ScnaSafe Connector 1. ScanSafe : ( ). e-mail of IT contact ( ) : Admin>Authentication>Company Key>Create New

28. 2. Parameter-Map Content Scan Proxy Servers . R1(config)#parameter-map type content-scan global content-can, IOS parameter-map Proxy Servers R1(config-profile)#server scansafe primary name server fqdn port http 8080 https 8080 R1(config-profile)#server scansafe secondary name server fqdn port http 8080 https 8080 FQDN ( ). http/https 8080 license R1(config-profile)#license {0|7} key 0 ( ) 7

29. Source IP R1(config-profile)#source address ipv4 address Default User-group R1(config-profile)#user-group group name group name . R1(config-profile)# server scansafe on-failure {allow-all|block-all}

30. 3. Authentication Proxy, LDAP ( MS AD NTLM) 4. AAA authentication-proxy User Based ZBF 5. authentication-proxy User Based ZBF

31. 6. User-Group . Basic OS 7. Content Scan http/https ScanSafe: R1(config)#interface type number R1(config-if)#content-scan out 8. Proxy Servers R1#show content-scan summary User Based ZBF

32. 9. : Admin>Management>Groups>Add Directory Group LDAP LDAP://Group Name. Note: ISR ScanSafe LDAP .

33. URL // . Web Filtering>Management> Filters>Create Filter (Allow/Block/Warm/). Web Filtering>Management>Policy>Create Rule

34. 1. 2. 3. 4. 5. 6.

35. 3. WLC Setup WLC : 2 SSID: SSID captive-portal Meraki MDM client SSID c 802.1x : PC Laptop 802.1 VLAN Meraki Systems Manager 802.1 authentication and Authorization

36. WLC Setup: 1. Radius Server WLC 2. Captive Portal WLC 3. SSID 4. SSID 802.1x 5. MS NPS

37. WLC Setup 1. Radius Server WLC Security>>>Radius>>Authentication>>>New 2. Captive Portal WLC Security>>>Web Auth>>>Web Login Page Custom Captive Portal Cisco, cisco.com WLC: Bundle cisco.com .zip Bundle .tar WLC TFTP Commands>>>Download

38. 3. SSID SSID Security>>>Layer 3 Web Policy Passthrough Note: DNS Replay virtual IP .

39. 4. SSID 802.1x SSID Management Security>>>Layer 2 Layer 2 Security Security>>>AAA Servers SSID VLAN Advanced>>>Allow AAA Override

40. 4. MS Network Policy Server setup -: 1. WLC Radius client NPS

41. 2. : EAP : NAS Wireless 802.11 WLC NPS

42. PEAP . . : Tunnel-Type=Virtual LANs (VLAN) Tunnel-Medium-Type=802 Tunnel-Pvt-Group-ID= VLAN Number

43. 5. Meraki Systems Manager setup Meraki Systems Manager Mobile Device Management . : ( / OS/ /) ( / Proxy/ / /) ( / ) Laptop/PC (Windows/MAC OS) ( / OS/ /) (RDP Windows) (Windows)

44. Meraki Systems Manager : 1. 2. Deployment a) Android Enrollment b) iOS Enrollment 3.

45. Meraki Systems Manager 1. https://account.meraki.com/login/dashboard_login?go=

46. 2. Deployment Deployment Mobile>>>Deployment a) Android Enrollment Enrollment: Play Market QRcode Meraki Play Market. QR-code Web Enrolment Enrolment Code Play Market Note: Web Enrollment email. .. Tag.

47. b) iOS Enrollment iOS Enrollment : Apple ID Meraki Certificate Request PC Apple Push Certification Portal Meraki Certificate Request PC Organization>>>Settings Apple ID Enrollment: Web based QR-code Email

48. 3. Tags. Tag , Profile Tags. Profile Settings Tag=recently-added Monitor>>>Clients Tag>>> Add Tag Tag>>>Remove recently-added Mobile>>>Profiles Profile Tag

49. Mobile>>>Settings

50. !

51. : R1 https://drive.google.com/file/d/0B0VvUTk8KGWfZG5jdGhFX3B4R0E/edit?usp=sharing Security Configuration Guide: Zone-Based Policy Firewall http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-1mt/sec-data-zbf-15-mt-book.html BRKSEC-3007 - Advanced Cisco IOS Security Features (2012 London) https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=3025&backBtn=true Cisco ISR Web Security with Cisco ScanSafe Solution Guide http://www.cisco.com/en/US/docs/security/web_security/ISR_SS/ISR_ScanSafe_SolutionGuide.pdf Cisco ScanCenter Administrator Guide http://www.cisco.com/en/US/docs/security/web_security/scancenter/administrator/guide/b_ScanCenter_Administrator_Guide.html YouTube Meraki http://www.youtube.com/channel/UCimwNLMzVRMp7SUPVRNaqew Wireless LAN Controller Web Passthrough Configuration Example http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00809bdb5f.shtml Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml