Managing Different Devices and Network Access Policy Safely
Cisco ISE deployments enables the customer to secure flexible working practices and simplify IT management
Industry: Aviation
Location: India
Company Size: 2500+ Employees.
Challenge:
- Introduce BYOD-enabled flexible working while maintaining data security
- Reduce cnsequent workload on IT team
Solution:
- Cisco smart security solution, providing policy-based access control, identity-aware networking, and data integrity and confidentiality
- Cisco products and services include TrustSec, Identity services engine.
Results:
- Provided secure authentication for 2500 users
- Improved network troubleshooting
Review
Previous
Next
Challange
The customer being India’s largest domestic airline in the private sector, takes you to some spectacular international destinations as well. India’s premier international airline which provides with one of the finest experiences across the skies. Our high standards of service and reliability, efficient operations and focus on innovation has enabled us become one of India’s favorite domestic and international airline.
At that time, the main IT focus was on securing corporate devices and vast amounts of confidential data across wired and virtual private networks. This approach used RADIUS access control servers and, more recently, a Cisco Secure Access Control System. However, things changed over due course of time. With employees increasingly seeking to connect personal devices, the customer was forced to rethink IT strategy.
“A powerful and flexible unified access security system was needed, one that could enforce a safe bring-your-own-device policy and manage different devices like Samsung Galaxy Tabs, Nokia Lumia phones, Apple iPhones and iPads, and so on.” says Senior Member of IT.
At that time, the main IT focus was on securing corporate devices and vast amounts of confidential data across wired and virtual private networks. This approach used RADIUS access control servers and, more recently, a Cisco Secure Access Control System. However, things changed over due course of time. With employees increasingly seeking to connect personal devices, the customer was forced to rethink IT strategy.
“A powerful and flexible unified access security system was needed, one that could enforce a safe bring-your-own-device policy and manage different devices like Samsung Galaxy Tabs, Nokia Lumia phones, Apple iPhones and iPads, and so on.” says Senior Member of IT.
The Solution
At the solution’s center is the Cisco Identity Services Engine (ISE), which forms a security policy management and control platform. It enforces usage policies in conjunction with Cisco TrustSec across wired and wireless networks and potentially VPNs. The customer also uses ISE for a range of other functions, including access control, profiling, and security posture policies on endpoints.
These integrated components protect a vast IT infrastructure comprising of Cisco Catalyst® 2960-S, 2960-X,3750-X, and 3850 Series Switches, Cisco Aironet® 2700 Series Access Points and two Cisco 5508 Series Wireless Controllers. For redundancy, the customer has an ISE server at both of its main data centers, along with fully redundant Active Directory and application servers. RADIUS server load-balancing is implemented as a feature on the Cisco Catalyst switches.
The organization has different access policies and mechanisms for different devices. Extensible Authentication Protocol (EAP)-Transport Layer Security machine certificates are used for the customer assets. Meanwhile, EAP-Protected Extensible Authentication Protocol is used for bring-your-own-device (BYOD) endpoints. For IP phones, the customer uses MAC Authentication Bypass (MAB) to provide limited access for endpoints that the network does not recognize. “Machine certificates are our preferred authentication method. They offer strong authentication and best automation for device access control,” adds Senior Member of IT.
Part of the Cisco TrustSec® architecture, ISE is a core capability within the Cisco bring-your-own-device (BYOD) Smart Solution. It combines information about the roles and privileges of users, their device profile and posture, their location (VPN, trusted or untrusted networks), and the service request. This policy-based approach then automatically determines who gets what access, from where, and on what device.
These integrated components protect a vast IT infrastructure comprising of Cisco Catalyst® 2960-S, 2960-X,3750-X, and 3850 Series Switches, Cisco Aironet® 2700 Series Access Points and two Cisco 5508 Series Wireless Controllers. For redundancy, the customer has an ISE server at both of its main data centers, along with fully redundant Active Directory and application servers. RADIUS server load-balancing is implemented as a feature on the Cisco Catalyst switches.
The organization has different access policies and mechanisms for different devices. Extensible Authentication Protocol (EAP)-Transport Layer Security machine certificates are used for the customer assets. Meanwhile, EAP-Protected Extensible Authentication Protocol is used for bring-your-own-device (BYOD) endpoints. For IP phones, the customer uses MAC Authentication Bypass (MAB) to provide limited access for endpoints that the network does not recognize. “Machine certificates are our preferred authentication method. They offer strong authentication and best automation for device access control,” adds Senior Member of IT.
Part of the Cisco TrustSec® architecture, ISE is a core capability within the Cisco bring-your-own-device (BYOD) Smart Solution. It combines information about the roles and privileges of users, their device profile and posture, their location (VPN, trusted or untrusted networks), and the service request. This policy-based approach then automatically determines who gets what access, from where, and on what device.
The Result
The Cisco Smart Security solution provides authentication for around 2500 users and some 3000 workstations and laptops, BYOD endpoints and smartphones. In addition, ISE grants access to around multipurpose devices and printers along with other assorted network devices.
Importantly, The customer is able to deal with the BYOD trend easily and securely. “ISE has the intelligence to handle the access policy for different devices and user needs,” says Senior Member of IT.
“ISE has automated and simplified access control for network devices such as printers, IP phones, and thin-clients and now we have enhanced visibility of our network,” says Senior Member of IT, The customer.
Similarly, printer management has been greatly simplified. Previously they had to be authenticated using MAB with Active Directory group and location information. Now they can be added on a plug-and-play basis using a centralized access policy over 802.1X with EAP-MD5.
Senior Member of IT says. “ISE is very good: secure, flexible, and offering greater network visibility. With ISE, we can also apply a posture health check for workstations, to ensure end devices are compliant with our security policy.”
ISE dynamic profiling has cut down administrative effort, easing the IT management burden. Even though the new network is larger and more complex than its predecessor, the customer IT team can still manage with the same resources, in particular, arranging guest access is faster and easier.
Importantly, The customer is able to deal with the BYOD trend easily and securely. “ISE has the intelligence to handle the access policy for different devices and user needs,” says Senior Member of IT.
“ISE has automated and simplified access control for network devices such as printers, IP phones, and thin-clients and now we have enhanced visibility of our network,” says Senior Member of IT, The customer.
Similarly, printer management has been greatly simplified. Previously they had to be authenticated using MAB with Active Directory group and location information. Now they can be added on a plug-and-play basis using a centralized access policy over 802.1X with EAP-MD5.
Senior Member of IT says. “ISE is very good: secure, flexible, and offering greater network visibility. With ISE, we can also apply a posture health check for workstations, to ensure end devices are compliant with our security policy.”
ISE dynamic profiling has cut down administrative effort, easing the IT management burden. Even though the new network is larger and more complex than its predecessor, the customer IT team can still manage with the same resources, in particular, arranging guest access is faster and easier.
