Archive for the ‘TrustSec’ Category

CiscoLive 2012 – Day 3

Though I was a day late on the last post, hopefully I wasn’t a dollar short in what I was
able to share. I cannot stress enough how valuable CiscoLive is for any Cisco partners or
customers. The contacts you make and the information you can glean are incredible. If you
can’t make it, I would recommend signing up for an account at It’s
free, and you can download most of the presentations from CiscoLive.

Yesterday, I only sat on two sessions, Cisco TrustSec and Security Group Tagging” and
“Understanding and Deploying the CleanAir Technology to Improve Enterprise WLAN Spectrum
Management” (that’s a mouthful.)

Although I haven’t yet deployed Security Group Tags, it’s an interesting idea to me. I
believe it is vital to continue to learn about new technologies and frameworks so that you
can communicate intelligently about them as they become more mainstream. Of course, some
don’t get to that point, but the concepts help us to grow in our overall system thought
process. Again, some of the highlights for me from this session were:

1. Security Group Tags (SGTs) are an enabler for enforcing policies, and specifically
security policies at this point.

2. While VLANs and static or downloadable ACLs are useful, they are not scalable. Changing
subnets, additional VLANs, and changing or new host IP address add to the complexity. SGTs
can abstract that complexity.

3. A key principle of SGT based access control is to classify at ingress and filter at
egress. So, a user/device is tagged at ingress, and an SGT ACL is used at the egress

4. Since not all devices support SGT, the SXP protocol is a way of migrating between the
two. Also, there are ways of mapping VLANs and subnets to SGTs, to help in the transition.

Of course, there was more – download the presentation!

I missed a session because I was enjoying the World of Solutions too much. I was able to
talk with a number of different vendors, some of whom we resell (like Tessco), some whose
tools we use (Ekahau – hopefully!), and others that our customers use (LiveAction).

The afternoon session on CleanAir was presented by the masterful Jim Florwick. He’s another “must go see” presenter. While I’ve seen much of what was presented before, it was still valuable, with some great reminders about RF and 802.11.

1. 802.11 is Listen Before Talk (LBT or CSMA/CA). And, it’s very, very polite in doing that. So much so, that it won’t talk unless the sensed power is below a certain threshold.

2. How does it sense the RF power levels in the air? Clear Channel Assessment (CCA) using either Energy Detect (ED) (quick, low power, prone to false positives) and/or Preamble (takes time, more power, less prone to false positives). The required power levels for the air space to be seen as “clear” can vary by band, year, client, etc.

3. Of course, non-Wifi devices don’t participate in 802.11 Collision Avoidance (CA). So they will often stomp on 802.11 devices, which will then wait to transmit. So, the more noise, the longer clients have to wait to send due to congestion. Now, there are two Responses to congestion. Either retransmit a packet or rate shift if the client retransmits too many times or SNR is too poor.

4. Since retransmits add to the time that other clients need to wait before sending, busy networks are even less tolerant to interference or noise.

5. Persistent Device Avoidance in 7.2 is a cool feature. It allows CleanAir APs to send information about interfering devices to non-CleanAir APs that are seen as neighbors. Be careful with this, though, as the RSSI or dBm values for neighbors is not adjustable for this feature. And, the bias to not use the channel used by that persistent device is for 7 days, which is also not configurable. Also, PDA does not mean that an AP won’t use the channel. It just adds a factor to not use the channel when that device is there.

The day was capped off with the CCIE Party on th USS Midway aircraft carrier. What an awesome time! Talking with old friends, riding in flight simulators, and decent food made for a terrific night. Much better than last year’s party. Cudos to those who planned it.


CiscoLive 2012 – Day 2

Note to self – don’t forget your badge.  I was walking out the door of the hotel to catch the shuttle to the convention center when I realized that my badge was back in my room.  That would have been bad – no session access (bad) and no breakfast (worse.)  Thankfully, I remembered before leaving.

As I said in my last post, one of the awesome pieces of CiscoLive is meeting new people.  This morning at breakfast was no exception.  I had a great discussion with an engineer from Montreal and another from West Point.  Though it was mostly on wireless, they made an interesting point about being the “expert” for a technology since they had installed that technology once.  It is interesting that in the world of networking, if you’ve done it, you’re the expert (at least in the eyes of some.)

My first session was BRKSEC-2022, “Demystifying TrustSec, Identity, NAC, and ISE” by Aaron Woland.  I highly recommend any sessions that he does, as he is a very engaging and knowledgeable speaker.  And, he busts on Cisco from time to time, which is good to see.  Though most of the sessions was review, having taken the ISE class, it was good to have some concepts reaffirmed.  A couple of key points from this session were:

1. For TrustSec (which is the former name of “Secure Group Access” or SGA – thanks Cisco for reusing a term that now includes the former use plus more!),identity means the Who, What, Where, When and How of access.  With that, most of the work of ISE is in the Authorization piece.  While Authentication is good, it is not nearly enough.

2. At least for Wired 802.1X, deploy in Monitor Mode to begin with.  That way you don’t cause yourself a DoS when you bring it up.  There are too many variables involved that can cause clients to not connect properly to begin with.  With this, make sure that the network device and the backend server (ISE in this case) are set up properly for logging what is going on.  That way you can see what is going on.  Also, make sure URL Redirect is not part of the Authorization policy being tested, unless you really want them to be redirected to begin with.

3. Most supplicants don’t have sufficient logging for troubleshooting issues.  Cisco provides the AnyConnect Network Access Manager as a no-cost licensed product for as many clients as needed for those that have ASA5500s, ACS, ISE, Cisco switches, or anything with which AnyConnect could interconnect as long as that component is under Cisco SmartNet.  What that “no-cost” license does is allows for TAC access.  AnyConnect also provides DART.

My second session, vearing from the mobility/security side was “Nexus 7000 Hardware Architecture.”  I’ve worked with these a little bit, so I wanted to better understand what was going on under the hood.  I found that you almost need a PhD in Nexusology to understand how things can be grouped or not-grouped or whatever.  Also, the way that queueing is performed has forced me to rethink the N7K QoS configs I’ve done.  This is due to mostly ingress queueing, before traffic is placed on the fabric.  There is some egress queueing, but the arbiter has already done most of that work prior to placing it on the output interface.

The third session brought me back to ISE.  Another terrific session delivered by Aaron Woland.  Note to self: book sessions with him whenever possible!  He brought a lot of terrific tips and hints that you wouldn’t automatically think of when implementing ISE.  A few key ones for me were:

1. When running ISE install wizard, use lower-case for the hostname.  That will alleviate issues later.

2. All ISE nodes must be resolvable by their FQDN.  Also, a DNS A Record should also have accompanying Pointer Record.  Otherwise, you will not get the redirects that you are wanting.

3. Related to #2, there is a way of creating the certificate such that it allows for the use of multiple host names (such as one for administering ISE, another for sponsors, another for guests, etc.) by the use of Subject Alternate Names.  That requires some OpenSSL magic.  They should have something about this in an upcoming guide.

4. Time Zone = UTC is best practice for a distributed deployment.  Also, remember that if you change the time zone on an ISE, the database is deleted!  So, set this during initial setup.  BTW, for the Eastern Time Zone in the United States, use EST5EDT in order to allow for Daylight Saving Time.

5. Always use the RADIUS probe, and usually the DHCP probe.  Use as few as required to get the information you need.

While all these were great, the highlight of the day was going to dinner at Jakes’s Del Mar in Del Mar, CA with Pat Goessling, Annese Account Manager, and several customers.  We were right on the ocean and had a terrific time talking and laughing.