In this blog we will look at Cisco Umbrella and Cisco Wireless LAN controller (WLC) integration, build and test Umbrella policies for WLAN users.

Requirements – Wireless users connecting to SSID “USSID” should be assigned unique Umbrella Policy based on who their role within organization.

The solution includes 3 network and security components, WLC, Umbrella and ISE. The flow of deployment will start with integrating WLC and Umbrella using an API token from Umbrella. Then creating Umbrella Policy for each unique role in organization, in this case HR and Sales. ISE will be used to assign unique role to the users as part of authorization using Cisco-AV-Pair attribute “role”, based on their authentication using AD credentials, .  WLC will tie the role assigned by ISE to a unique Umbrella policy and enforce it on the user for particular SSID.

Additionally note that this deployment can be done in multiple ways this is one of the methods, not the only method.

So Lets start with the configuration, the first step is generating an API token from Umbrella under Network Devices

Untitled

Now I will create 2 Umbrella profiles on WLC which will act as identities for Umbrella policy creation, one for HR another for Sales. So lets create 2 identities on WLC.

New Umbrella1

it take few seconds for profiles to register to umbrella.

New Umbrella2

Now the profile status shows registered so we can now go to Umbrella and make sure profiles have been populated.

New Umbrella3

 

Now I can start building out policies on Umbrella. Building policy on umbrella requires multiple components, like destination list, category settings, security settings, how the blocked page will look like etc. So what I am going to do is first built all the components required in building an umbrella policy and simply call the policy components when I build the policy. I will build individual policy components for HR and Sales respectively based on my requirements.

So lets start with destination list, I have created url blacklist for Sales to not access adobe.com and HR to not access java.com. Although if you don’t want to do specific URL based filtering then you can straight away get to category based policy component

dl1dl2

Next I have created a category list which lists a based on category what content they can access or denied, for sake of demonstration I have been aggressive with the HR group blocking 55 categories Vs Sales Group blocking only 6 categories.

cl1

cl2

For Security setting I want consistent policy for both HR an Sales and I want all security aspect to be looked at which includes Malware, Newly seen domains, command and control callbacks, phishing attacks, dynamic DNS, potentially harmful domains, DNS tunneling VPN.

sp1

Lets now create a custom block message, which will again be similar for both user type.

bp

Now that all our policy components are built we can tie them into policies.

 

p1p2

The first policy I am building is for HR, so I have selected the identity I created in beginning on WLC (imported to Umbrella)

p3

we can pick and choose what we want a specific policy to do, in this case I will leave it to default, which enables all the features listed above.

p4

The security setting is same for both Sales and HR so I am calling the custom setting that was built earlier.p5

Calling out the category list specific to HR built above.

p6

Calling out the destination HR destination black list in addition to default global block list.p7

Calling out the custom page built for sites blocked by Umbrella.P8

Overall HR policy details.

P9

Similar to HR policy, another policy has been created for Sales, which can be seen above.

Now that both policies are ready on Umbrella its time to tie apply these policies on controller. So I will create 2 local policies on WLC, and I want to work it such that if an HR user connects to the SSID the user gets HR Umbrella policy, but if a sales user connect to the SSID the user gets Sales Umbrella policy. So the first thing I need to do is assign a role to user based on their AD credentials. So I can make use of ISE here with Cisco-AV-Pair attributes of “Role”. So my ISE policy will say if a user logs in with AD credential belonging to HR group it will be assigned an HR role, and if an users logs in with AD credential belonging to Sales group it will be assigned Sales Role. the policy on ISE is very simple.

I will create 2 authorization profiles for role assignment.

ise2ise1

The a Policy set to assigned roles based on their respective AD credentials.

ise

Now that users are assigned role based on their AD credentials, we are ready to tie ISE role and Umbrella Policy on WLC SSID.

Note the OpenDNS mode set as Forced and Umbrella public IP marked as DNS server IP.

wlc4

w2

This local policy means if the user has been assigned the role of Sales then apply Sales_Umbrella_policywlc2

This local policy means if the user has been assigned the role of HR then apply Sales_HR_policywlc1

The two policies have been applied under SSID Policy mapping

wlc3

wlc5

Sales Testing

connecting to the SSID with sales user credentials and getting assigned right role.

t4    t5  t6

ise test

ise test 2

After role assignment I am able to access News, Alcohol related sites  but not sports (espn), as per sales policy on Umbrella.

test2  w  test

HR Testing

As usual user authenticated through ISE and ISE assign a role of HR as part of authorization policy.

hri

hri2

After role assignment I am able to access search engine,  but not news (cnn), as per HR policy.

 

I hope you Enjoyed reading it as much as I enjoyed writing, feel free to comment !