Schedule a free product or technology session with Grandmetric Engineer
schedule a video call

Blog

IP and Mobile Trends and Education

 

Building Cisco identity-based network access with pxGrid

Author:


08.12.2019

In this post I will discuss the concept of identity-based networking and its components based on Cisco Systems products. Then I will put some light on how the process looks like from perspective of each functional node of the ecosystem where pxGrid is one of the core protocols used.

 

Why we need identity-based access?

The importance of user identity approach in enterprise networks was described few years ago in “Is user identity important?” post. Since that time few new concepts and products from different vendors were developed around. In Cisco Systems portfolio we can find the comprehensive approach that gains maturity and we see many companies going currently according to this model. In a said concept, having Cisco Identity Services Engine (ISE), the heart of the identity solution, Cisco LAN/WLAN devices as well as security products like Firewalls or Email Security Appliances cooperate together to achieve end to end network visibility and to be more effective in the battle against the cyber threats. Users identity, authentication events accounting and traffic visibility helps to achieve automation across the network boundaries, access and security rules unification as well as easier administration. Cisco Digital Network Architecture (DNA) concept – the Cisco’s name for comprehensive enterprise networking approach – is not only about the identity, however, an identity is one of the key aspects in gaining controlled, automated and secured network environment. Identity in this context makes the network more User-aware rather than IP Prefix-aware what in turn helps to construct universal security policies, scales better especially in large / multi-site organizations and provides the granular access control and user accounting.

 

Cisco pxGrid

One of the key terms behind the end-to-end identity is pxGrid, the protocol that is now IETF-approved standard described in RFC 8600 and published in June 2019. pxGrid stands for Platform Exchange Grid and enables cross-platform information exchange in relation to particular data context. pxGrid architecture is based on Publish-Subscribe approach where Consumers of data subscribe to given Topic and Provider publishes information to that topic, which in turn the Broker distributes to all subscribed consumers.

The information that can be shared with pxGrid data can be used by security monitoring and detection systems, network policy platforms, IAM or any other IT infrastructural products that can make use of those data. One of the type of data in our case is User identity to IP mapping that consumers retrieve thanks to pxGrid communication.

 

Ecosystem and communication scheme

On the scheme below you can find the flow of control plane communication that is used to propagate the user information retrieved and parsed by ISE during 802.1x authentication process. Information is forwarded from ISE to Firepower Management Center which is central management console for Internet Edge and Data Center Firewalls. In turn the user information that contains Username and current IP address is forwarded to Firepower appliances (or ASA with FirePOWER services). Based on given user-to-ip mapping information firewalls can enforce security rules based on Username or AD group identity rather than IP address.

Cisco_pxGrid_Communication_scheme

How does the process look like?

User authenticates first. It doesn’t matter if the authentication type is wired or wireless. In our case Windows 10 native supplicant is used to authenticate via ethernet switch 802.1x-enabled.

8021x_Windows_Authentication

 

We now can see on ISE live logs dashboard that the user is authenticated and authorized.

Cisco_ISE_Live_log

 

Sometimes it’s helpful during troubleshooting to verify the information on the switch level. Here, Catalyst 2960X works as a NAD (Network Access Device) that’s why it can be also part of diagnostic process. The information on switchport reflects what we have inside the ISE live logs (port, mac, IP, username and more).

Cisco_Switch_8021x_diagnose

 

Behind the scene the pxGrid protocol is used to report the information about event to Consumer which is Firepower Management Center (FMC).

FMC_User_IP_Mapping

So, what we have just achieved is the end-to-end AAA process that leads to the Username-to-IP information exposition provided to a pxGrid consumer (FMC). Now, to make use of this kind data, we should have some Firepower appliance present within our network that will be able to enforce some identity-based rules for this particular user or his/her AD group. In my test case the rule for User1 is trivial, simply blocks ICMP traffic to 8.8.8.8, however it shows the application of an identity information inside the Firepower Access Control Policy (ACP).

Firepower_Identity_Rule_ACP

Talking about comprehensive products portfolio, integrated ecosystem one another access type should be mentioned which is VPN remote access. Using Cisco Anyconnect Secure Mobility Client user should fall under the same security policy wherever his/her location is. In the next article I’ll show the VPN remote access configuration using Anyconnect and Duo Security multi-factor authentication that will be integrated in the above ecosystem. The identity information coming from VPN remote access connection event will be available also for Firepower ACP ruleset. Stay connected.

 

References

[1] https://datatracker.ietf.org/doc/rfc8600

[2] https://developer.cisco.com/docs/pxgrid/

Author

Marcin Bialy

Marcin Biały is Network and Security Architect with over 12 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code


 

Newsletter