0-*-' 12*+34,#*, - cisco · 2 presentation_id © 2008 cisco systems, inc. all rights reserved....
TRANSCRIPT
![Page 1: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/1.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1
!"#$%"&' (")$*+, - ./0 #, ")#"-1 %"&12. 3%,4$561)451 )71#,%55 +%581#1#59 $1:#"&";52.
!"#$%&%' ("%)&#* +%+,-&*./ %*0-*-'-12*+3"4,#*,
![Page 2: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/2.jpg)
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
52$-'0#*%- • <=>"% Cisco TrustSec • 01$1-,9 5(1#$5?54,759 • @-$"%5>,759 5 +%581#1#51 +"&5$54
• A1&")$#")$' 5 4"#?5(1#75,&'#")$' (,##B:
• C+%,-&1#51 TrustSec. CiscoWorks LMS 4.0
• <=>"% #"-B: -1%)52 %1D1#52 Cisco (&9 4"#$%"&9 )1$1-";" (")$*+, Cisco NAC, Cisco ACS, NAC Guest, NAC Profiler
![Page 3: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/3.jpg)
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IP-4,81%, !"%+"%,$5-#B2 %1)*%) MAC: F5 AB 8B 65 00 D4 E"*$=*4
!"%+"%,$5-#B2 %1)*%) .,="%,$"%59 11 *$%,
F,%59 05("%"-, 0"$%*(#54 HR 3%"-"(#"2 (")$*+ 11-00
3%5#$1% E14"%+"%,$5-#B2 ,4$5- MAC: B2 CF 81 A4 02 D7
IP $1&1?"# G/W !"%+"%,$5-#B2 ,4$5- G5#,#)"-B2 (1+,%$,81#$ 11:00 -161%,
01%;12 H,&,>"- 4"#$%,4$#54 IT 3%"-"(#"1 +"(4&I61#51 10 *$%,
@##, 31$%"-, )"$%*(#54 CEO C(,&1##B2 (")$*+ 10 -161%,
!,$9 J*4"-)4,9 )"$%*(#54 R&D WiFi 14:00 (#9
@#$"# @&8,>"- 4"#)*&'$,#$ A1#$%,&'#B2 "?5) C(,&1##B2 (")$*+ 6:00 -161%,
/54$"%59 !,$1%#I4 0"$%*(#54 3%"-"(#"2 (")$*+ 15-00
!"#?5(1#75,&'#B1 %1)*%)B 01$', *)$%"2)$-, 5 3%5&"K1#59
F#"K1)$-" 81$"("- (")$*+, L,>#B1 *)$%"2)$-,, %,>#B1 81)$,
!+- *-2)62$%&2 12*,'2"%'27#,4
5-82$*9: :%*#&%;-+1#9 +'-$# $2+,3<#
3"&'>"-,$1&5 5 *)$%"2)$-, 0"$%*(#545, !"#$%,4$#545, M1&1?"#B, 3%5#$1%BN
![Page 4: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/4.jpg)
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!#0*2+,4 <2"%,%1%
=#>%,# +'-$. 12&&3*%1#?%/
/ *)&"-59: %,>8B$59 ;%,#57 )1$5 #1"=:"(58" 4"#$%"&5%"-,$' (")$*+ 4 %1)*%),8
@)-+<-;-*%- +22,7-,+,7%9 0""$-1$)$-51 )$%";58 4"%+"%,$5-#B8, ;")*(,%)$-1##B8 5 %1;*&9$"%#B8 $%1="-,#598
A7-"%;-*%- )-B2<#+*2+,% <=1)+161#51 )""$-1$)$-59 +"&5$541 (&9 +"&'>"-,$1&12 5 *)$%"2)$- -,K#" (&9 OH
![Page 5: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/5.jpg)
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco TrustSec
TrustSec - >"#$56#,9 ,%:5$14$*%, (&9 *-1&561#59 =1>"+,)#")$5 4,8+*)#"2 )1$5 5 (,$,71#$%,. 3"8";,1$ 4"8+,#598 >,P5$5$' )1$', (,##B1 5 %1)*%)B ) +"8"P'I: • $1:#"&";52 )1$1-"2 5(1#$5?54,755 • $1:#"&";52 4"#$%"&9 (")$*+, #, ")#"-1 +"&5$54 5 +"&'>"-,$1&')45: %"&12
• ("+"$1&'#B1 )1%-5)B (&9 >,P5$B (")$*+, 5 )%1(B +1%1(,65
![Page 6: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/6.jpg)
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C"D;-7.- E3*1?%% Cisco TrustSec
C2*,'2"4 $2+,3<# *# 2+*27- <2"%,%1
! 3")$"9#)$-" +"&5$54 (&9 +"&'>"-,$1&12 5 *)$%"2)$-
! !"#$%"&' (")$*+, #, ")#"-1 +"&'>"-,$1&')45: %"&12 ( RBAC)
! L,)+%1(1&1##"1 -#1(%1#51
! E1>,-5)58B2 "$ )1$1-"2 $"+"&";55 4"#$%"&' (")$*+, ) +"8"P'I Security Group Access Control (SGAC)
5-,-7#9 %$-*,%E%1#?%9
! !"#$%"&' ")#"-,##B2 #, 5(1#$5?54,75"##"2 5#?"%8,755 5 ,$%5=*$,: (-%189, 81)$", 81$"( (")$*+,)
! 3"((1%K4, Cisco Medianet 5 QoS (&9 +%5&"K1#52 ,))"755%"-,##B: ) +"&'>"-,$1&')4585 %"&985
:2<2"*%,-"4*.- +-'7%+.
! Q")$1-"2 (")$*+ ! <71#4, )")$"9#59 *)$%"2)$- 5 5: )""$-1$)$-59 +"&5$541 =1>"+,)#")$5
! 3%"?5&5%"-,#51 *)$%"2)$- =1> ,;1#$"-
! R5?%"-,#51 4,#,&, (,##B: #, =,>1 )$,#(,%$, IEEE 802.1AE
![Page 7: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/7.jpg)
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
S"+"$1&'#B1 )1%-5)B
@-$"%5>,759
O(1#$5?54,759 @*$1#$5?54,759
ACL
802.1X 802.1X
802.1X-REV MAB WebAuth
F2"%,%1#
VLAN
O#$1;%,759 ) UC
G'6%,-1,3'# Cisco TrustSec. 5-,-7.- +"30). %$-*,%E%1#?% (IBNS) )
![Page 8: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/8.jpg)
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
S"+"$1&'#B1 )1%-5)B
@-$"%5>,759
O(1#$5?54,759 @*$1#$5?54,759
ACL
<71#4, )")$"9#59 *)$%"2)$-,
NAC (In-band,
Out-of-band) MAB WebAuth
F2"%,%1#
3%"?5&5%"--,#51
*)$%"2)$-
VLAN
Q")$1-"2 (")$*+
G'6%,-1,3'# Cisco TrustSec. C2*,'2"4 $2+,3<# 7 +-,4 (NAC) )
![Page 9: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/9.jpg)
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
S"+"$1&'#B1 )1%-5)B
@-$"%5>,759
O(1#$5?54,759 @*$1#$5?54,759
ACL
802.1X
<71#4, )")$"9#59 *)$%"2)$-,
NAC (In-band,
Out-of-band)
802.1X 802.1X-REV MAB WebAuth
F2"%,%1#
Security Group Tagging
3%"?5&5%"--,#51
*)$%"2)$-
VLAN
MACSec O#$1;%,759 ) UC
Q")$1-"2 (")$*+
G'6%,-1,3'# Cisco TrustSec. )
![Page 10: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/10.jpg)
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco TrustSec: C2*,'2"4 +-,-7282 $2+,3<# *# 2+*27- 802.1X
Q")$1-B1 +"&'>"-,$1&5
01$1-B1 *)$%"2)$-,
NAC Guest
NAC Profiler
ACS
802.1X
T,P5P,18B1 %1)*%)B
H!5
IP M1&1?"#B
3%"$"4"& *+%,-&1#59: RADIUS
!"#$%"&&1% H./0
0,+&54,#$
!,$,&"; +"&'>"-,$1&12
!"88*$,$"%B Cisco® Catalyst®
3"&'>"-,$1&5, :")$B
!"88*$,$"% Nexus® 7000
Web
MAC
![Page 11: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/11.jpg)
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco TrustSec: C2*,'2"4 +-,-7282 $2+,3<# *# 2+*27- NAC Appliance
Q")$1-B1 +"&'>"-,$1&5
T,P5P,18B1 %1)*%)B
H!5 IP M1&1?"#B NAC Manager
NAC Server
3%"$"4"& *+%,-&1#59: SNMP
!"#$%"&&1% H./0
NAC Agent
NAC Guest
NAC Profiler
!,$,&"; +"&'>"-,$1&12
!"88*$,$"%B Cisco® Catalyst®
01$1-B1 *)$%"2)$-,
3"&'>"-,$1&5, :")$B
Web
MAC
![Page 12: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/12.jpg)
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5'#7*-*%- 802.1X % NAC Appliance I-J-*%- Cisco *# 2+*27- 802.1X
I-J-*%- *# 2+*27- NAC Appliance
M%1=*1$)9 &5 ,;1#$ 5&5 ),+&54,#$?
S,, (&9 802.1X. E1$, (&9 Web ,*$1#$5?54,755
S,, (&9 "71#45 )")$"9#59. E1$, (&9 Web ,*$1#$5?54,755
O(1#$5?54,759/@-$"%5>,759 S, S,
!"#$%"&' )""$-1$)$-59 *)$%"2)$- +"&5$541
E1$ S,
<$%,)&1-"2 )$,#(,%$ S, E1$
3"((1%K4, (&9 *)$%"2)$- =1> 802.1X
S, ( MAB) S,
3"((1%K4, *)$%"2)$- =1> ,;1#$"-
S,: NAC Profiler S,: NAC Profiler
3"((1%K4, 8,D5##"2 ,*$1#$5?54,755
S, E1$
3"((1%K4, ;")$1-";" (")$*+, S, S,
3%"$"4"& *+%,-&1#59 RADIUS SNMP
![Page 13: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/13.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
01$1-,9 5(1#$5?54,759
![Page 14: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/14.jpg)
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5-,-7#9 %$-*,%E%1#?%9 *# 2+*27- Cisco 802.1X (Identity-Based Networking Services - IBNS)
! @*$1#$5?54,759 IEEE802.1X (&9 +"&'>"-,$1&12 5 *)$%"2)$-
<)#"-,##,9 #, )$,#(,%$,:, ,*$1#$5?54,759 #, -$"%"8 *%"-#1 #, +"%$* (&9 +"&'>"-,$1&12 5 *)$%"2)$-
! <=:"( ,*$1#$5?54,755 +" MAC-,(%1),8 (MAB) C)$%"2)$-, =1> 802.1X 8";*$ =B$' ,*$1#$5?575%"-,#B 5)+"&'>*9 MAB (MAC authentication bypass)
! WEB ,*$1#$5?54,759 Q")$1-B1 +"&'>"-,$1&5 8";*$ 5)+"&'>"-,$' ,*$1#$5?54,75I 61%1> web +"%$,& (&9 -%181##";" (")$*+, - )1$'
![Page 15: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/15.jpg)
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5-,-72/ <2', + 802.1X
!.8"9$%, ,#1 0- 1#1 % )-B 802.16
?
SWITCHPORT
F2+"- #3,-*,%E%1#?%% ! 3"-BD,1$)9 *%"-1#' =1>"+,)#")$5 ! E,)$%"24, +"%$, (VLAN, ACL, QoS) ! G,4$ (")$*+, >,?54)5%"-,#
@*$1#$5?575%"-,##B2 +"&'>"-,$1&'
![Page 16: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/16.jpg)
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco TrustSec Flexible Authentication
Q5=4,9 ,*$1#$5?54,759 +">-"&91$: ! O)+"&'>"-,$' $%5 %,>&56#B: 81$"(, ,*$1#$5?54,755:
802.1X (&9 *)$%"2)$- ) ),+&54,#$,85
MAC Authentication Bypass (MAB) Web Authentication (O89/+,%"&')
E,)$%"24, #, +"%$ / &I="2 4"8=5#,755 / &I="8 +"%9(41
! U$" *81#'D,1$ )1$1-B: OpEx : – 3"((1%K4, 4"%+"%,$5-#B: +"&'>"-,$1&12, *)$%"2)$- 5 ;")$1-B: +"&'>"-,$1&12 #, "(#"8 +"%$* – 3"&'>"-,$1&5/*)$%"2)$-, 8";*$ )-"="(#" +1%181P,$')9 - )1$5 =1> +1%1#,)$%"245 "="%*("-,#59
![Page 17: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/17.jpg)
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C#1 '#)2,#-, Flexible Authentication
802.1X MAB Web Auth
S")$*+#B1 81$"(B #, +"%$*
802.1X MAB Web Auth
3"%9("4 +" *8"&6,#5I @*$1#$5?54,759 )"$%*(#54,
802.1X MAB Web Auth
C)$%"2)$-, =1> ),+&54,#$,, V,)$56#B2 (")$*+ (" 802.1x ,*$1#$5?54,755, VIP
MAB Web Auth /1=-,*$1#$5?54,759
3"%9("4 81$"("- 3%5"%5$1$ 81$"("- S12)$-59 - )&*6,1 #1*(,65
1.
2.
3.
![Page 18: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/18.jpg)
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
SWITCHPORT
VM
802.1X Multi-Authentication
K-+12"412 MAC *# <2',3 !"#$%"&' ) 5)+"&'>"-,#518 MAC (&9 4,K(";" *)$%"2)$-,: ! 802.1X 5&5 MAB
E1>,-5)58B2 4"#$%"&' (")$*+, #, +"%$* (&9 4,K(";" MAC ) +"8"P'I >,;%*K,18";" ACL (dACL)
![Page 19: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/19.jpg)
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Hubs 3rd Party IP Phones
Legacy Cisco IP Phones
3%"81K*$"6#"1 *)$%"2)$-" +")1%1(5#1
PC Movement
F'2&-03,2;*.- +-,-7.- 3+,'2/+,7#
Identity Enabled Networks
• 3%"=&18"2 )1$1-"2 ,*$1#$5?54,755 9-&91$)9 "$)*$)$-51 5#?"%8,755 " )")$"9#55 *)$%"2)$-, +"(4&I61##";" - +"%$ 4"88*$,$"%, #1 #,+%98*I, , 61%1> #1*+%,-&918B2 4"88*$,$"%/:,=, $1&1?"##B2 ,++,%,$
• FB #1 8"K18 >,?54)5%"-,$' ?,4$ "$4&I61#59 *)$%"2)$-,
• /">8"K#")$' +1%181P1#59 $,45: *)$%"2)$- 81K(* +"%$,85 4"88*$,$"%, 5&5 -">8"K#")$' )+*?5#;, ,*$1#$5?575%"-,##";" *)$%"2)$-, )">(,1$ *;%">* =1>"+,)#")$5
![Page 20: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/20.jpg)
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
=#>%,# 2, <2$$-"4*.6 +-,-7.6 3+,'2/+,7: Network Edge Access Topology (NEAT)
1. L,)D5%91$ ("-1%51 #, 4"#?1%1#7 4"8#,$B, :"&&B 5 =&12(-)5)$18B
2. S1&,1$ =1>"+,)#B8 4"#$%"&' *)$%"2)$- - "=P1(")$*+#B: 81)$,:
Authorized Remove MAC per
notifications
Port Status
Authorized Only Allow MAC of
Auth’d Host
!"#"$% &'("# Authorized
)*+,-./001/ MAC (#2(/3/01
Port Status Authorized
MAC 4'55$"#"'(# (#2(/3/0
!"#"$% &'("#
Wall Jack in Conf Room
Wiring Closet Switch
6$"/0"7874#7, 4'55$"#"'(#
!"#"$% &'("#
Un-Authorized
Machine Auth
!"#"$% &'("#
Un- Authorized
)*+,-./07/ MAC #$"/0". 9'%"#
:;#./07/ MAC &' "#<5'$"$ 7.7 '"4.=>/07= .704#
• )"4.=>/07/ • Power down • Or Logoff
?'5"01< 4'55$"#"'(
AAA
Campus LAN
![Page 21: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/21.jpg)
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IP-,-"-E2*%9. Multidomain Authentication (MDA)
1. MDA %,>(1&91$ ,*$1#$5?54,75"##B2 ("81# (&9 (,##B: (3!) 5 ;"&"), (IP $1&1?"#)
2. MDA +"((1%K5-,1$ 802.1X 5&5 MAB (&9 "="5: ("81#"- ,*$1#$5?54,755, (&9 ;"&"), 5 (,##B:
3. 3"((1%K5-,1$ 4,4 Cisco IP $1&1?"#B, $,4 5 )$"%"##51 IP $1&1?"#B
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Voice
Data
S-, ("81#, #, +"%$
802.1q
M1&1?"#B ,*$1#$5?575%*I$)9 - ;"&")"-"8 ("81#1, M1;5%*I$ $%,?54 - ;"&")"-"8 VLAN
3! ,*$1#$5?575%*1$)9 - ("81#1 (,##B:, E1$1;5%"-,##B2 $%,?54 - VLAN (&9 (,##B:
![Page 22: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/22.jpg)
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
I-J-*%- 802.1X + IP-,-"-E2*%9 C2*,'2"4 <2',#: L'% '-J-*%9
22
EAPoL-Logoff
L,="$,1$ $"&'4" ) 802.1X *)$%"2)$-,85 5
"+%1(1&1##B85 $1&1?"#,85*
01))59 "=#*&91$)9 )%,>* +")B&4"2 EAPoL-Logoff
PC-A @,1"D;#-,+9
PC-B F2$1"D;#-,+9 Dot1x Logon
Required
Proxy EAPoL-Logoff
802.1x/MAB Inactivity Timeout
E14"$"%B8 *)$%"2)$-,8 8"K1$ +"#,("=5$')9 +"-$"%#,9
,*$1#$5?54,759
W)$' -">8"K#")$' +"(4&I61#59 (" 5)$161#59 $,281%, 5 "65)$45
)1))55 PC-A @,1"D;#-,+9
PC-B F2$1"D;#-,+9 Auth
Required
SSCA
CDP 2nd Port Notification CDP Link Down
PC-A @,1"D;#-,+9
PC-B F2$1"D;#-,+9 Auth
Required
SSCA
01))59 "=#*&91$)9 )%,>* +")B&4"2 CDP Link Down
" I#)2,#-, + MAB, 802.1X, % Webauth.
" K- ,'-)3-, *#+,'2/1%
SSCA SSCB
SSCB
SSCB
![Page 23: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/23.jpg)
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!*-$'-*%- TrustSec % IP Telephony: "3;J%- <'#1,%1%
3rd Gen phone • X.509 cert support • firmware 8.5(2)
Catalyst switch • 12.2(50)SE3 (2k, 3k) • 12.2(52)SG (4k) • 12.2(33)SXI (6K)
ACS version 5.x CUCM 7.1.2 7 -13/
EAP-TLS CDP 2nd Port
802.1X with MDA CDP 2nd Port Monitor/Low Impact “Touchless” EAP-
TLS Remote 802.1X Enable
Cisco TrustSec +%1(")$,-&91$ #,5="&11 +"&#*I )"-81)$58")$' IP $1&1?"#"- ) 802.1: - 5#(*)$%55:
# Cisco IP $1&1?"#B 581I$ -)$%"1##B2 ),+&54,#$, +"((1%K5-,IP52 EAP-MD5, EAP-FAST 5 EAP-TLS 5 +%1(5#)$,&&5%"-,##B1 75?%"-B1 )1%$5?54,$B (MIC), 4"$"%B1 8"K#" 5)+"&'>"-,$' (&9 802.1x 5(1#$5?54,755
# 802.1x 8"K1$ ,4$5-5%"-,$')9 #, $1&1?"##"8 ,++,%,$1 71#$%,&5>"-,#" ) +"8"P'I CUCM -1%)55 7.1.2 5 -BD1
# 3%"$1)$5%"-,##B2 )71#,%52 “=1>4"#$,4$#"2” #,)$%"245 802.1x ) $1&1?"#512 "+5),# #, cisco.com
![Page 24: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/24.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
@-$"%5>,759 5 +%581#1#51 +"&5$545 - )1$5
![Page 25: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/25.jpg)
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
I#B"%;*.- &-6#*%B&. #7,2'%B#?%%
! TrustSec +%1(")$,-&91$ %,>&56#B1 81:,#5>8B ,-$"%5>,755 (&9 "=1)+161#59 +"&5$545
! M%5 ")#"-#B: 81:,#5>8, %,>;%,#561#51 (")$*+,: 3%5)-"1#51 VLAN – Ingress 3%5)-"1#51 dACL – Ingress O)+"&'>"-,#51 Security Group ACL (SGACL) – Egress
! M%5 %,>#B1 8"(1&5 -#1(%1#59 %,>;%,#561#59 (")$*+,: <$4%B$B2 %1K58 (Monitor Mode) <;%,#561##B2 %1K58 (Low Impact Mode) H1>"+,)#B2 %1K58 (High-Security Mode)
![Page 26: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/26.jpg)
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
K#B*#;-*%- VLAN – <"D+. % &%*3+.
+ 0,8B2 +%")$"2 )+")"= )1;81#$,755 $%,?54,
+ H"&'D5#)$-" -1#("%"- +"((1%K5-,I$ (5#,8561)4"1 +%5)-"1#51 ,(%1)"- (RFC3580)
- E1"=:"(58" )">(,-,$' #"-B1 VLAN
- E"-B2 VLAN = E"-,9 IP-+"()1$'
- S5#,8561)4"1 5>81#1#51 VLAN ">#,6,1$ (5#,8561)4"1 5>81#1#51 ,(%1),
- C+%,-&1#51 8#"K1)$-"8 ACL #, 4,K("8 L3 5#$1%?12)1 )&"K#" (&9 ="&'D5: )1$12
![Page 27: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/27.jpg)
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
=#8'30#-&.- ACL - <"D+. % &%*3+.
+ ACLs *+%,-&9I$)9 71#$%,&5>"-,#" 5 +%581#9I$)9 (&9 (,##";" IP-,(%1), 5)$"6#54, (+"&'>"-,$1&')4";" *)$%"2)$-,) + E1 #*K#" *4,>B-,$' ,(%1) *)$%"2)$-, - ACL + .*6D1 8,)D$,=5%*I$)9 618 per-user ACL (="&'D1 ACEs - RADIUS VSA) + S&9 #14"$"%B: )1%-5)"- ($,45: 4,4 PXE Boot 5&5 Wake-On-LAN) -">8"K#" "$4%B-,$' (")$*+ 1P1 (" +%":"K(1#59 ,*$1#$5?54,755 ) +"8"P'I 5#$1%?12)#";" ACL - O>81#1#59 ,(%1), +"&*6,$1&9 (Destination IP) #*K#" "$%,K,$' -" -)1: ACE - /">8"K#" +1%1+"#51 ,++,%,$#B: %1)*%)"- 4"88*$,$"%, - )&*6,1 ="&'D";" 4"&561)$-, )$%"614 +%,-5& ?5&'$%,755 ACE
![Page 28: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/28.jpg)
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M2$-"% '-#"%B#?%% <2"%,%1%
! M%,(575"##B2 %1K58 -#1(%1#59 802.1x ()-B2<#+*./ '-0%&) +%1(+"&,;,1$ "$)*$)$-51 (")$*+, - )1$' (" ,*$1#$5?54,755.
! 3")&1 ,*$1#$5?54,755 (")$*+ - )1$' "$4%B-,1$)9 5 +%"5):"(5$ #,>#,61#51 VLAN 5 5&5 >,;%*>4, ACL("+75"#,&'#")
! 3"&#"1 "$)*$)$-51 )1$1-";" (")$*+, (" ,*$1#$5?54,755 5&5 +")&1 #1*)+1D#"2 ,*$1#$5?54,755 #1;,$5-#" -&591$ #, %,="$* )1%-5)"-:
• DHCP, ->,58"(12)$-51 OS (KRB5, LDAP, DNS, ;%*++"-B1 +"&5$545 AD (Group Policy Object), +%"$"4"& PXE (&9 >,;%*>45 <0, WoL (&9 *+%,-&1#59 3< 5 +,$6,85
• E1K1&,$1&'#"1 9-&1#51 #, X$,+1 -#1(%1#59
<;%,#561##B2 %1K58
H1>"+,)#B2 %1K58
I-0%&. '-#"%B#?%% TrustSec <2&28#D, <'-$2,7'#,%,4 <'2)"-&. 7*-$'-*%9 802.1X
<$4%B$B2 %1K58
![Page 29: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/29.jpg)
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!"#$ RADIUS %&'(")*+,-./* 01203' (+003': ! 4)%'503'/0'1)%'503' +1*'0*$6$7+8$$
802.1X/EAP – 9%$)"7 ,+-$(03: 802.1x 7-$'0*", – 9%$)"7 0' ,+-$(03: 802.1x 7-$'0*",
! 4)%'503'/0'1)%'503' +1*'0*$6$7+8$$ MAB – 9%$)"7 ,+-$(03: MAC", – 9%$)"7 0' ,+-$(03: MAC",
802.1X/MAB – Open Mode
3<LM
Open Mode ()-B 28'#*%;-*%/)
! /1)' $%,?54 %,>%1D1# ! @*$1#$5?54,759 +"-+%1K#18* %,="$,1$
! 3"((1%K5-,1$)9 (&9 802.1X 5 MAB
![Page 30: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/30.jpg)
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
<)$,&'#"2 $%,?54 =&"45%*1$)9 (" *)+1D#"2 ,*$1#$5?54,755 802.1X,
MAB, 5&5 Web ,*$1#$5?54,755
ACL "$4%B-,1$ #1"=:"(58B1 TCP/UDP
+"%$B
!.)2'2;*2 2,1'.,./ $2+,3<
! Open Mode +&I) %,>%1D1#59 ACL +" *8"&6,#5I
– E, "+%1(1&1##B1 TCP/UDP +"%$B
– E, "+%1(1&1##B1 ,(%1),
!#'%#*, 12*,'2"9 2. @8'#*%;-**./ '-0%& C2*,'2"4 $2+,3<# + ACL
![Page 31: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/31.jpg)
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!#'%#*, 12*,'2"9 2. @8'#*%;-**./ '-0%& C2*,'2"4 $2+,3<# + ACL
3<LM
F2+"- #3,-*,%E%1#?%% ! T,;%*K,18B1 dACL +1%1+5)B-,I$ )*P1)$-*IP52 ACL #, +"%$*
! 3%1(")$,-&91$ +"&#B2 (5&5 ";%,#561##B2) (")$*+
![Page 32: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/32.jpg)
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C2*,'2"4 $2+,3<# *# 762$-
802.1X/MAB/Web Auth
K#B*#;-*%- VLAN / VRF
=#8'3B1# dACL
• F";* &5 9 )">(,-,$' 5 *+%,-&9$' VLANs 5 IP ,(%1)#B8 +*&"8? • !,4 "=%,=,$B-,1$)9 "=#"-&1#51 DHCP - #"-"2 )1$5 ? • !,458 "=%,>"8 9 *+%,-&9I ACLs #, VLAN 5#$1%?12)1? • L,="$,I$ &5 $,451 +%"$"4"&B 4,4 PXE 5&5 WOL ) #,>#,61#518
VLAN? • /&59#51 #, )*88,%5>,75I 8,%D%*$"-?
• !$" =*(1$ "=)&*K5-,$' ACL? • V$" 1)&5 8"5 IP ,(%1), #,>#,61#59 5>81#9$)9? • F"2 4"88*$,$"% 5811$ (")$,$"6#" +,89$5 TCAM (&9 "=%,="$45 -)1: >,+%")"-?
M%,(575"##B1 81$"(B 4"#$%"&9 (")$*+, 581I$ #14"$"%B1 +%"=&18B +%5 -#1(%1#55:
– M%1=*1$)9 (1$,&'#B2 (5>,2# +1%1( -#1(%1#518, 5#,61N
– E1 #,)$"&'4" ;5=451 4,4 $%1=*1$)9 (&9 =5>#1),
– !"#$%"&' (")$*+, 8"K1$ +"$%1="-,$' %1(5>,2#, -)12 )1$5
![Page 33: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/33.jpg)
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C2*,'2"4 $2+,3<# *# 7.62$- + %+<2"4B27#*%-& 8'3<< )-B2<#+*2+,% Security Group
!"#$%"&' (")$*+, ")#"-,##B2 #, Q%*++,: H1>"+,)#")$5 +">-"&91$ >,4,>654,8:
– 0":%,#9$' )*P1)$-*IP52 &";561)452 (5>,2# #, *%"-#1 (")$*+,
– O>81#9$' / +%581#9$' +"&5$54* (&9 )""$-1$)$-59 $14*P58 =5>#1)-$%1="-,#5985
– L,)+%1(1&9$' +"&5$54* ) 71#$%,&'#";" )1%-1%, *+%,-&1#59
SGACL
802.1X/MAB/Web Auth.
N%*#*+.(SGT=4)
C#$'.(SGT=10)
O 12*,'#1,2' M29 8'3<<# (L
C2*,'#1,2' & (L
SGT = 100
SGT = 100
![Page 34: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/34.jpg)
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'%&-*-*%- SGT % SGACL ! A*%1#"4*#9 &-,1# 16 bit (65K) +%5)-,5-,1$)9 1#0$2/ '2"%
! 3%1()$,-&91$ <'%7%"-8%% <2"4B27#,-"9, 3+,'2/+,7# %"% +3)P-1,#
! L-8%'27#*%- *# 762$- - ("81# TrustSec
SGACL SG
Security Group
Tag
! N%"4,'#?%9 <2 &-,1#& (SGACL) *# 7.62$- %B $2&-*# TrustSec ("=B6#" - A<S1)
! F'#7%"# )-B IP-#$'-+27 (IP ,(%1) +%5-9>,# 4 81$41)
! 3"&5$54, (ACL) is '#+<'-$-"9-,+9 2, ?-*,'#"4*282 +-'7-'# <2"%,%1 (ACS) 5&5 #,)$%,5-,1$)9 &"4,&'#" #, *)$%"2)$-1 TrustSec
! <=1)+165-,1$ +"&5$545 #1>,-5)58B1 "$ $"+"&";55
! Q5=451 5 8,)D$,=5%*18B1 +"&5$545 ")#"-,##B1 #, %"&5 +"&'>"-,$1&9
! Q-*,'#"%B27#**2- 3<'#7"-*%- <2"%,%1#&% (&9 (5#,8561)4";" -#1(%1#59 +%,-5&
! O):"(9P,9 ?5&'$%,759 -1(1$ 4 *81#'D1#5I #,;%*>45 *# TCAM
F'-%&3>-+,7#
![Page 35: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/35.jpg)
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5?-*#'%/: +-,4 &-$%?%*+1282 3;'-0$-*%9
F2"4B27#,-"% 5-'7-'# Security Group
((+,2;*%1) Security Group (K#B*#;-*%-)
Doctor (SGT 7)
Staff (SGT 11)
Guest (SGT 15)
IT Admin (SGT 5)
SGACL
Medical DB (SGT 10)
Internal Portal (SGT 9)
Public Portal (SGT 8)
IT Portal (SGT 4)
100 x
5 x
145 x
150 x
x 15
x 5
x 5
x 5
![Page 36: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/36.jpg)
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M#,'%?# <2"%,%1 SGACL C#1 SGACL 3<'2>#D, 12*,'2"4 $2+,3<#
S"4$"%, (SGT 7)
IT ,(85#B (SGT 5)
IT Portal (SGT 4)
Public Portal (SGT 8)
Internal Portal (SGT 9)
Patient Record DB (SGT 10)
F1$4, #,>#,61#59
F1$4, 5)$"6#54,
Web Web No Access Web File Share
Web SSH RDP
File Share
Web SSH RDP
File Share
Full Access SSH RDP
File Share
permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 445 deny ip
IT Maintenance ACL
![Page 37: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/37.jpg)
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
REE-1,%7*2+,4 SGACL 7 '-#"4*.6 3+"27%96 400 +"&'>"-,$1&12 +"&*6,I$ (")$*+ 4 30 )1$1-B8 %1)*%),8 ) 4 $5+,85 +"&#"8"652 (&9 4,K(";" %1)*%), M%,(575"##B2 ACL #, FW =1> ?5&'$%,755 5)$"6#54,
Any (src) * 30 (dst) * 4 permission = 120 ACEs
M%,(575"##B2 ACL #, 5#$1%?12)1 VLAN – 5)+"&'>*9 ?5&'$%,75I +" +"()1$98 5)$"6#54, $%,?54,
4 VLANs (src) * 30 (dst) * 4 permission = 480 ACEs
0 $1:#"&";512 SGACL 4 SGT (src) * 4 SGT (dst) * 4 permission = 64 ACEs
G5&'$%,759 #, +"%$* ) +"8"P'I Downloadable ACL
1 Group (src) * 30 (dst) * 4 permission = 120 ACEs
400 (src) * 30 (dst) * 4 permission = 48 000 ACEs
M%,(575"##B2 ACL #, FW ) ?5&'$%,7512 +" 5)$"6#54*
![Page 38: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/38.jpg)
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Security Group based Access Control C#1 S,2 '#)2,#-,
IT Portal (SGT 4)
Agent-less Device
Active Directory
Catalyst® 3750-X
3"&'>"-,$1&5, *)$%"2)$-,
Campus Network
Nexus® 7000 Nexus® 7000
SXP
Catalyst® 4948 ACS v5.2 802.1X
MAB
LWA
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10) Doctor (SGT 7) IT Admin (SGT 5)
VLAN100
VLAN200
E1$1;5%"-,##B1 ?%128B
M1;5%"-,##B1 ?%128B
SGT=7
1
2 3
4 5
1. C)$%"2)$-" +"(4&I6,1$)9 4 )1$5 2. !"88*$,$"% (")$*+, ,*$1#$5?575%*1$ +"&'>"-,$1&9 5 +%5)-,5-,1$ 81$4* SGT 3. SXP +1%1(,1$ $,=&57B IP-to-SGT #, N7K 4. C)$%"2)$-" ) +"((1%K4"2 SGT (N7K) +%5#58,1$ +,41$B 5 *)$,#,-&5-,1$ SGT 5. C)$%"2)$-" ) +"((1%K4"2 SGT (N7K) ?5&'$%*1$ +,41$B, ")#"-B-,9c' #, SGT
![Page 39: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/39.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
A1&")$#")$' 5 4"#?5(1#75,&'#")$' (,##B:
![Page 40: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/40.jpg)
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 40 40
&^*RTW#(*J^*&*sd#J$%UJ&(
C2*E%$-*?%#"4*2+,4 % ?-"2+,*2+,4 T-B2<#+*2+,4 <3,% <-'-$#;% $#**.6 + MACSec
• <=1)+165-,1$ D5?%"-,#51“X4-5-,&1#$ WLAN / VPN” (128bit AES GCM) (&9 LAN +"(4&I61#52
• R5?%"-,#51 #, ")#"-1 )$,#(,%$, (IEEE802.1AE) + *+%,-&1#51 4&I6,85 +" )$,#(,%$* (IEEE802.1X-2010/MKA)
• 3">-"&91$ +%"-"(5$' ,*(5$ 5 "=1)+165-,$' )1%-5)B =1>"+,)#")$5
Media Access Control Security (MACSec) 5&5 LinkSec
802.1X
0,++&54,#$ ) MACSec
Q")$'
CC)$%"2)$-, ) +"((1%K4"2
MACSec
&^*RTW#(*J^*&*sd#J$%UJWD&(
S,##B1 +1%1)B&,I$)9 "$4%B$"
MACSec 4,#,&
T,D5?%"-,$' L,>D5?%"-,$' @*$1#$5?575%"-,##B2 +"&'>"-,$1&'
![Page 41: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/41.jpg)
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 41 41
L-13>#9 <2$$-'01# MACSec MACSec #, *%"-#1 (")$*+,
! Catalyst® 3750X/3560X (4&51#$)451 +"%$B)
! M%1=*1$)9 Cisco IOS® 12.2 (53)SE2
! 802.1X-REV (MKA) (&9 *+%,-&1#59 4&I6,85 – T,816,#51: / #,)$"9P11 -%189 MACSec #1 +"((1%K5-,1$)9 #, ,+&5#4,: Cat3750-X
MACSec (&9 5#?%,)$%*4$*%B ! Nexus® 7000 )1%59 DC-4"88*$,$"%"-
! 3"((1%K4, &5#12#B: 4,%$ 1GbE/10GbE
! M%1=*1$)9 NX-OS 5.0(2)a
! SAP (Cisco Protocol) (&9 *+%,-&1#59 4&I6,85
T,816,#51: SAP + MKA $%1=*I$ ACS -1%)55 5.1 5&5 ="&11 +">(#12. SAP 5811$ "+75I )$,$561)4"2 #,)$%"245 4&I612 #, 5#$1%?12)1 Nexus 7000. / #,)$"9P11 -%189 , MACSec/MKA +"((1%K5-,1$)9 $"&'4" #, *%"-#1 (")$*+,, 5 MACSec/SAP +"((1%K5-,1$)9 (&9 5#?%,)$%*4$*%#B: >,(,6. / =*(*P18 +"((1%K4, MACSec/MKA ()$,#(,%$,) =*(1$ "=1)+165-,$')9 -1>(1.
![Page 42: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/42.jpg)
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 42 42
AnyConnect 3.0 $"9 MACSec
AnyConnect 3.0 "=1)+165-,1$ ! C#5?575"-,##B2 5#$1%?12) (")$*+, (&9 SSL-VPN, IPSec 5 802.1X - LAN / WLAN
! 3"((1%K4, MACSec / MKA (802.1X-REV) (&9 +%";%,88#";" D5?%"-,#59 (c4"%")$' >,-5)5$ "$ 8"P#")$5)
! O)+"&'>"-,#51 MACSec )"-81)$58";" HW()1$1-B: 4,%$) *-1&565-,1$ +%"5>-"(5$1&'#")$' AnyConnect 3.0
@++,%,$#,9 +"((1%K4, MACSec: Intel 82576 Gigabit Ethernet Controller Intel 82599 10 Gigabit Ethernet Controller Intel ICH10 - Q45 Express Chipset (1Gbe LOM) (Dell, Lenova, Fujitsu 5 HP +%"5>-"(9$ %,="651 )$,#755 ) *4,>,##B85 )1$1-B85 4,%$,85.)
![Page 43: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/43.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
C+%,-&1#51 TrustSec. CiscoWorks LMS 4.0
![Page 44: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/44.jpg)
44
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5%+,-&# CiscoWorks LMS 4.0
WorkCenter C2*E%83'#?%9 M2*%,2'%*8 @,;-,*2+,4
EnergyWise Large-scale switch configuration Manage EW domains and policies
Power consumption, Cost savings, policy compliance, alarms & events
Cisco TrustSec™ Large-scale 802.1x Identity deployment Day-N configuration changes
Authorization and authentication success failure trends, login stats
Smart Install Centrally manage Smart Install Directors Manage client switch configuration and sw images
Smart Install-specific LMS job management
Auto Smartports Large-scale ASP deployment and day-N configuration changes Event/trigger management MAC-based group configuration
Auto Smartports-specific LMS job management
!"#71+759 %,="65: 71#$%"- • *+%,-&1#51 -)18 K5>#1##B8 754&"8 (&9 "+%1(1&1##"2 >,(,65 ($1:#"&";55)
• "$ "71#45 ;"$"-#")$5 (" -#1(%1#59 5 +"((1%K45
• C+%"P,1$ 8,)D$,=#B1 -#1(%1#59 $1:#"&";55
![Page 45: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/45.jpg)
45
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
(*,-8'#?%9 LMS 4.0 % E3*1?%2*#"# TrustSec *# 12&&3,#,2'#6
TrustSec™ Identity Work Center
• <71#4, ;"$"-#")$5 )1$5 (HW/SW/4"#?5;*%,755) 4 -#1(%1#5I TrustSec
• E,)$%"24, 4"88*$,$"%"- (Radius, ,-$"%5>,75"##B1 +%"?,2&B #, 5#$1%?12),: 5 *)$%"2)$-,:, -4&I6,9 -)1 #"-B1 "+755 TrustSec)
• <$61$ +" 4"#?5;*%,7598 TrustSec 5 +"5)4 #15)+%,-#")$12
• F"#5$"%5#; (,##B: 5(1#$5?54,755 ) +"8"P'I SNMP (,*$1#$5?575%"-,##B1/,-$"%5>5%"-,##B1 +"&'>"-,$1&5, "D5=45 ,*$1#$5?54,755N.)
• 3"%$&1$B 8"#5$"%5#;, )")$"9#59 #, %,="652 )$"& LMS (dashboard)
![Page 46: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/46.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
L,)61$ ?5#,#)"-B: 81$%54 -#1(%1#59 TrustSec
![Page 47: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/47.jpg)
47
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
TrustSec Return On Investment (ROI) 1#"413"9,2'
![Page 48: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/48.jpg)
48
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
I#+;-, B#,'#, % <2,-'4
![Page 49: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/49.jpg)
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!.72$. • TrustSec +%1(")$,-&91$ >,4"#61##*I ,%:5$14$*%* (&9
4"#$%"&9 (")$*+,, 4"$"%,9 ":-,$B-,1$ %,>#""=%,>#B1 +"&'>"-,$1&')451 )71#,%55 5 9-&91$)9 &5(1%"8 #, %B#41 NAC +" ?*#475"#,&*
• TrustSec 5)+"&'>*1$ 8#"K1)$-" ?*#4752 )1$1-"2 5#?%,)$%*4$*%B Cisco, 4"$"%B1 *+%"P,I$ -#1(%1#51 5 +">-"&9I$ ,(,+$5%"-,$')9 4 +"$%1=#")$98 %1,&'#B: ;1$1%";1##B: )1$12
• A1##")$' TrustSec >,4&I6,1$)9 - +"((1%K41 ="&'D";" 65)&, ("+"$1&'#B: )1%-5)"- (;")$1-"2 (")$*+, +"((1%K4, *)$%"2)$- =1> ,;1#$"-, 81$45 =1>"+,)#")$5 5 D5?%"-,#51), 4"$"%B1 >#,65$1&'#" %,)D5%9I$ =,>"-B2 ?*#475"#,& NAC 5&5 802.1x
• S,&'#12D58 %,>-5$518 %1D1#52 Cisco TrustSec 9-&91$)9 ="&11 $1)#,9 5#$1;%,759 - 1(5#"2 +&,$?"%81
![Page 50: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/50.jpg)
50
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!2<'2+. % @,7-,.
![Page 51: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/51.jpg)
51
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F2"-B*.- ++."1% TrustSec #, ")#"-1 802.1x (&9 4,8+*)#B: )1$12 http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html
Identity-Based Networking Services: /#1(%1#51 IEEE 802.1X http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6638/guide_c07-627531.html
/#1(%1#51 Identity Based Networking Services #, ")#"-1 )71#,%51- http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html
E,)$%"24, 5 %,>-1%$B-,#51 IP-$1&1?"#55 - )1$9: IEEE 802.1X http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html
!,&'4*&9$"%B ROI (&9 TrustSec http://www.cisco.com/assets/sol/sec/flash/trustsec/pop.html http://www.ciscosecuritynac.com/Cisco_NAC_GOV_ROI_Calculator.xls
![Page 52: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/52.jpg)
52
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M. 62,-"% ). 3B*#,4 !#J- &*-*%-
F20#"3/+,#, B#<2"*%,- #*1-,3
![Page 53: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/53.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 53
<=>"% #"-B: -1%)52 %1D1#52 Cisco (&9 4"#$%"&9 )1$1-";" (")$*+, Cisco NAC, Cisco Secure ACS
!"#$%&%' ("%)&#* +%+,-&*./ %*0-*-'-12*+3"4,#*,
![Page 54: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/54.jpg)
54
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
52$-'0#*%- • !"#$%"&' (")$*+, - ./0 #, ")#"-1 %"&12. 3%,4$561)451 )71#,%55 +%581#1#59 $1:#"&";52.
• 3"&5$545 (")$*+, #, ")#"-1 +%,-5&. Cisco Secure ACS 5.x
• F"(1&' 4"#$%"&9 (")$*+, #, ")#"-1 NAC Appliance
• 3%"?5&5%"-,#51 (")$*+, “#1+"&'>"-,$1&')45:“ *)$%"2)$-
• Q")$1-"2 (")$*+
![Page 55: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/55.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
3"&5$545 (")$*+, #, ")#"-1 +%,-5&. Cisco Secure ACS 5.x
![Page 56: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/56.jpg)
56
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!#'%#*,. <"#,E2'&. Cisco Access Control System 5.2
1. C)$%"2)$-" Cisco Secure 1121 – C)$%"2)$-" (1RU) #, ")#"-1 Linux-+"("=#"2 )5)$18"2 (ADE OS) c *K1)$"61##"2 +"&5$54"2 =1>"+,)#")$5
2. VMWare "=%,> – 3%";%,88#"1 +%5&"K1#51 5 <0 Linux (&9 5#)$,&&9755 #, VMware ESX 3.5, 4.0
/1%)59 5.2 +"((1%K5-,1$ FIPS 140-2 Level 1 )1%$5?54,75I
3"((1%K4* SHA-256
3"((1%K4* Internet Explorer 8 (&9 5#$1%?12), ,(85#5)$%,$"%"-
3"((1%K4* Windows 2008 R2 (&9 AD ,*$1#$5?54,755.
![Page 57: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/57.jpg)
57
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Provision interfaces and tools Posture &
audit protocols
Accounting & Logging Session
State
Policy & Inventory
ACS Runtime
Dev
ice
Pro
toco
ls
Identity interfaces
Cisco Secure Access Control System (ACS)
Report
Interact & Query
Integrate & Enforce
Cisco Secure Access Control System (ACS) 5.x <)"=1##")$5 ,%:5$14$*%B
1. F"(1&' ?*#475"#5%"-,#59 #, ")#"-1 +%,-5&, (,IP,9 ;5=4")$' +%5 "+%1(1&1#55 +"&5$54
2. E"-B2 81:,#5>8 5#4%181#$,&'#"2 %1+&54,755, -">8"K#")$' )">(,#59 %,)+%1(1&1##B: -#1(%1#52
3. C+%"P1##"1 ,(85#5)$%5%"-,#51 >, )61$ "=#"-&1##";" Web GUI, +"9-&1#51 IOS-+"("=#";" CLI 5#$1%?12),
4. E"-B1 -">8"K#")$5 +" )">(,#5I "$61$"-, %,#11 -:"(5-D51 - "$(1&'#B2 +%"(*4$ Cisco ACS View
5. 3"((1%K4, 51%,%:55 +"&'>"-,$1&12 5 *)$%"2)$- - -#*$%1##12 =,>1 ACS
6. C&*6D1##,9 5#$1;%,759 ) -#1D#585 =,>,85 (AD, LDAP, SecurID/OTP, Radius Proxy) (&9 5(1#$5?54,755 5 "+%1(1&1#59 +"&5$54
Provision interfaces and tools Posture &
audit protocols
Accounting & Logging Session
State
Policy & Inventory
ACS Runtime
Dev
ice
Pro
toco
ls
Identity interfaces
Provision interfaces and tools
Posture &
audit protocols
Accounting & Logging Session
State
Policy & Inventory
ACS Runtime
Dev
ice
Pro
toco
ls
Identity interfaces
ACS Management
Posture & audit protocols
Reporting & Troubleshooting
Accounting & logging
Policy & Inventory
ACS Runtime
Dev
ice
Prot
ocol
s Identity interfaces
![Page 58: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/58.jpg)
58
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
+
Access Privilege
Engineering
Human Resources
Finance
Home Access
Deny Access
Guest
Other Conditions
Time and Date
Access Type
Location
T2"-- 8%)1#9 <2"%,%1# + 12*,'2"-& $2+,3<# *# 2+*27- '2"-/
@#$"# @&8,>"- Employee Consultant
/54$"%59 !,$1%#I4 Employee Marketing
@##, 31$%"-, Employee Sales Director
!,K(B2 5811$ )"=)$-1##*I %"&'
O(1#$5?54,75"##,9 5#?"%8,759
Identity: Network Administrator
Identity: Full-Time Employee
Identity: Guest
F,%59 05("%"-, 52,'3$*%1 <!
![Page 59: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/59.jpg)
59
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F2"%,%1# $"9 +27'-&-**.6 ,'-)27#*%/ )%B*-+#
+
O(1#$5?54,75"##,9 5#?"%8,759
Identity: 01$1-"2 ,(85#
Identity: R$,$#B2 )"$%*(#54
Identity: Q")$'
3%5-5&1;55 (")$*+,
!"#)*&'$,#$
<$(1& 4,(%"-
H*:;,&$1%59
F,%41$5#;
T,+%1$5$'
Q")$'
S%*;51 *)&"-59
/%189 5 (,$,
M5+ (")$*+,
F1)$"+"&"K1#51
![Page 60: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/60.jpg)
60
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
+
Identity Information
Identity: Network Administrator
Identity: Guest
Identity: Full-Time Employee
I2"4 + 12*,'2"4 $2+,3<# *# 2+*27- <'#7%"#
3%5-5&1;55 (")$*+,
Engineering
Finance
Home Access
Deny Access
Guest
<$(1& 4,(%"-
S%*;51 *)&"-59
Time and Date
Q(1: A<
M5+ (")$*+,: +%"-"(#"2
05("%"-, F. 52,'3$*%1 <!
![Page 61: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/61.jpg)
61
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
+
Identity Information
Identity: Network Administrator
Identity: Guest
Identity: Full-Time Employee
I2"4 + 12*,'2"4 $2+,3<# *# 2+*27- <'#7%"#
3%5-5&1;55 (")$*+,
Engineering
Finance
Home Access
Guest
Human Resources
S%*;51 *)&"-59
/%189 5 (,$,
Q(1: G5&5,&
M5+ (")$*+,: =1)+%"-"(#"2 T,+%1$5$'
05("%"-, F. 52,'3$*%1 <! /#1 +1%581$%,
![Page 62: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/62.jpg)
62
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'%&-' S"-&-*,27 <2"%,%1%
C)&"-59 +"&5$545
Access Type Location Date and Time Network Device Type NAD IP Address EAP Auth Method Authentication Status AD Group LDAP Attributes RADIUS Attribute : :
5%$2'27# M#'%9 L%<: Reg. Employee :2"0*2+,4: Sr. HR Advisor U'3<<#: HR Admin Group @,$-" ID: 240087 L-"-E2*: 495-555-5555 Mail: [email protected]
![Page 63: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/63.jpg)
63
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'%&-*-*%- <'#7%" $2+,3<#
1. @-$"%5>,75"##,9 +"&5$54, )1$1-";" (")$*+, - ACS +%1(")$,-&91$ 8"P#*I 8"(1&' “IF-THEN-ELSE” (&9 %,>%,="$45 ;5=4"2 4"%+"%,$5-#"2 +"&5$545
2. @-$"%5>,75"##B1 +%"?,2&B +%1(")$,-&9I$ 81$"(B 4"#$%"&9 +"&5$54 #, -:"(1.
3. Y")$* 8";*$ =B$' #,>#,61#B Security group - $" K1 ),8"1 -%189
F1$"(B ,-$"%5>,755
! E,>#,61#51 VLAN ! 04,65-,#51 dACL ! 31%1#,+%,-&1#51 URL ! Security Group ACL
![Page 64: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/64.jpg)
64
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco ACS M2*%,2'%*8 % <2%+1 *-%+<'#7*2+,-/
3"&#")$'I #,)$%,5-,18B1 +,#1&5 5#)$%*81#$"-
3"(%"=#,9 "$61$#")$'
05;#,&B 5 C-1("8&1#59
! 0$,#(,%$#B1 "$61$B ! R,=&"#B ! E,)$%,5-,18B1 "$61$B
! E,)$%,5-,18B1 $%5;;1%B
! 05;#,&B 61%1> Email 5&5 Syslog
![Page 65: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/65.jpg)
65
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F#*-"4 %*+,'3&-*,27 Live Authentication Log
1. Live Authentication Log +%1(")$,-&91$ =B)$%B2 (")$*+ 4 ,*$1#$5?54,75"##B8 >,+5)98 - %1,&'#"8 8,)D$,=1 -%181#5
2. S")$*+#B ("+"$1&'#B1 )-1(1#59 " ,*$1#$5?54,755, +%565#B "$4,>,, +"(%"=#,9 +")&1("-,$1&'#")$' +%5#9$59 %1D1#52
![Page 66: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/66.jpg)
66
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F#*-"4 Live Authentication Log 3%581% +%")8"$%, Log Analysis View :
– <$61$ +" +"&'>"-,$1&')458 ,*$1#$5?54,7598
![Page 67: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/67.jpg)
67
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
U'3<<%'271# 3+,'2/+,7 % <2"4B27#,-"-/
Africa-Southern-SouthAfrica-Firewalls!
Africa-Southern-SouthAfrica-Switches!
Africa-Southern-SouthAfrica-Routers!
Africa-Southern-Namibia-Firewalls!
Africa-Southern-Namibia-Switches!
Africa-Southern-Namibia-Routers!
Africa-Southern-Botswana-Firewalls!
Africa-Southern-Botswana-Switches!
Africa-Southern-Botswana-Routers!
…!
!+- 3+,'2/+,7#
M#'J3',%B#,2'.: • Router1
• Router2
C2&&3,#,2'.: • Switch1
• Switch2
(-'#'6%9 ,%<27 3+,'2/+,7
!+- 3+,'2/+,7#
Africa Devices
SouthAfrica Devices: • Router2 • Switch2
(-'#'6%9 &-+,2<2"20-*%9
Asia Devices
SouthernDevices
3&")4,9 ;%*++5%"-4, *)$%"2)$- -
ACS 4.x
F#"K1)$-" 51%,%:52 -
ACS 5
![Page 68: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/68.jpg)
68
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
A+,'2/+,72 (<2"4B27#,-"4) &20-, <'%*#$"-0#,4 *-+12"41%& 8'3<<#&
E,>#,61#51 ;%*++ *)$%"2)$-*
![Page 69: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/69.jpg)
69
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M%8'#?%9 + <'-$.$3>%6 7-'+%/ ACS 3%"-1%'$1 ?*#475"#,& ACS - ACS 5.1/5.2 +"((1%K5-,1$ +"(,-&9IP52 #,="% ?*#4752 ACS 4.x http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html
S&9 )">(,#59 4"#?5;*%,755 5)+"&'>*2$1 )&1(*IP51 81$"(B
– Migration tool (58+"%$5%*1$ 4"#?5;*%,755 ACS 4.x )
– Import tool (*$5&5$, 58+"%$5%*IP,9 CSV-?,2&B ) 4"#?5;*%,7512) • Users, hosts, network devices, identity groups, NDGs, downloadable ACLs,
command sets
– L*6#,9 4"#?5;*%,759
![Page 70: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/70.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
F"(1&' 4"#$%"&9 (")$*+, #, ")#"-1 NAC Appliance
![Page 71: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/71.jpg)
71
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Q")$5
Network-Attached Device
WLC
NAC Guest Server
NAC Profiler Server
Directory Service
Cisco TrustSec NAC Appliance $"9 %*E'#+,'31,3' )-B 802.1X
3"&'>"-,$1&5, *)$%"2)$-,
T,P5P,18B1 %1)*%)B
Campus Network
IP Phones NAC Manager
NAC Server
3%"$"4"& *+%,-&1#59: SNMP
NAC Agent
M"64, +%581#1#59 +"&5$54
Cisco® Catalyst®
Switch
![Page 72: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/72.jpg)
72
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'-%&3>-+,7# NAC Appliance
@*$1#$5?54,759 3"&'>"-,$1&12 5 *)$%"2)$- - )1$5
!"#$%"&' +"&5$545 5 11 +%581#1#51 S&9 )""$-1$)$-59 +"&5$541 (")$*+,
3%"-1%45 5 "$61$B !$" - 8"12 )1$5?
S5??1%1#75%"-,##B2 (")$*+ S&9 "%;,#5>,755 %"&1-";" (")$*+, 4 )1$5
![Page 73: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/73.jpg)
73
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
1. C2*-;*./ <2"4B27#,-"4 <2$1"D;#-, *23,)31 1 +-,%
F'2?-++ #3,-*,%E%1#?%% % #7,2'%B#?%% NAC : Out-of-Band
3. V+"% 3+,'2/+,72 *- #3,-*,%E%?%'27#*2 NAC Manager- 2& 2*2 <-'-&->#-,+9 7 “authentication” VLAN.
2. C2&&3,#,2' J"-, NAC Manager 37-$2&"-*%- 2 *272& MAC
!"8+'I$1% ) NAC Agent
Switch
NAC Manager
NAC Server
Network
VLAN 10
VLAN 110
VLAN 10
![Page 74: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/74.jpg)
74
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
4. =#<'#J%7#-,+9 %*E2'&#?%9 2 <2"*2&2;%96 $"9 2<'-$-"-*%9 “'2"%:”
• NAC Agent <2"3;#-, 2, NAC Server 12&#*$3 <'27-'%,4 +22,7-,+,7%- 2+*27.7#9+4 *# '2"%
5. F'% *-2)62$%&2+,% <'272$%,+9 12''-1?%9 12*E%83'#?%% 12&<4D,-'#
F'2?-++ #3,-*,%E%1#?%% % #7,2'%B#?%% NAC : Out-of-Band
!"8+'I$1% ) NAC Agent
Switch
NAC Manager
NAC Server
VLAN 10
VLAN 10
VLAN 110
VLAN 110
Network Network
![Page 75: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/75.jpg)
75
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
7. NAC Server %*E2'&%'3-, NAC Manager ;,2 62+, “+-',%E%?%'27#*” , % NAC Manager $#-, 12&#*$3 12&&3,#,2'3 <2&-+,%,4 <2', 7 “access” VLAN.
8. K23,)31 <2"3;#-, $2+,3< 7 12'<2'#,%7*3D +-,4
F'2?-++ #3,-*,%E%1#?%% % #7,2'%B#?%% NAC : Out-of-Band
NAC Server
E"*$=*4 NAC Agent
Switch
NAC Manager
VLAN 10
VLAN 10
VLAN 10 Network
VLAN 110
Network
![Page 76: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/76.jpg)
76
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC #8-*, $"9 "28%*# 7 NAC % 2?-*1% +22,7-,+,7%9
4.
G*#"%B%'3-,+9 +2+,29*%- ($5+B +%"-1%"4 >,-5)9$ "$ +"&'>"-,$1&')4"2 %"&5) @<?%% %+<'#7"-*%9 (%*6#B1 5 ,-$"8,$561)451)
G3,-*,%E%1#?%9 + <2$$-'012/ SSO
![Page 77: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/77.jpg)
77
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC Appliance 7-)-#3,-*,%E%1#?%9
/1=-,;1#$ (&9 4"#$%,4$"%"- 5 ;")$12 ("=1)+165-,1$ +%"-1%4* )")$"9#59) H%,*>1% (&9 -1=-,*$1#$5?54,755
![Page 78: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/78.jpg)
78
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!#'%#*,. 7*-$'-*%9 NAC Appliance
1. 3%"-"(#,9 )1$' – L3 Out-of-Band ) ACL 5&5 VRF
2. H1)+%"-"(#,9 )1$' – In-Band 5&5 +"(4&I61#51 L2 Out-of-Band 4 WLC
4"#$%"&1%* 3. VPN
– 3"(4&I61##B2 - %1K581 In-Band 4 VPN 4"#71#$%,$"%* 5&5 ASA
4. C)$%"2)$-, (")$*+, )$"%"##5: 4"8+,#52 – In-Band
![Page 79: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/79.jpg)
79
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'-$+,#7"-*%- NAC 4.8
E"-B1 ?*#4755 5 -">8"K#")$5 (&9 +"((1%K45 ="&'D";" 65)&, +"&'>"-,$1&')45: )71#,%51-
! Out-of-Band Logoff
! 3,))5-#B1 +1%5"(561)451 "71#45 )")$"9#59 (Passive Re-Assessment)
! C)4"%1#51 "=#"-&1#52 AV/AS
! 3"((1%K4, 8"(*&12 NAC (&9 ISR
! L,)D5%1##,9 "$61$#")$'
! NAC Agent ,-$"%5>5%*1$ )1%-1%
! <;%,#561#51 (")$*+, ,(85#5)$%,$"%"- +" Source IP
NACS
NACM
Auth
![Page 80: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/80.jpg)
80
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C#1%& 2)'#B2& 9 <27,2'*2 2?-*%7#D 3+,'2/+,7# <2+"- %6 +-',%E%1#?%% ? 3"-$"%#,9 +,))5-#,9 "71#4, NAC
! 3"((1%K4, ,;1#$"- (&9 Windows 5 MAC ! @;1#$B +"&*6,I$ +"&5$54* +"-$"%#"2 "71#45 "$ )1%-1%, NAC ! 3"&5$545 "+%1(1&9I$)9 #1>,-5)58" (&9 4,K(";" +"&'>"-,$1&9 ! /B 8"K1$1 %,>%1D5$' +"&'>"-,$1&98 +%"("&K5$' %,="$*, *)$%,#5$' #1)""$-1$)$-51 5&5 -B#*(5$' >,-1%D5$' %,="$* failing re-assessments
/B ("&K#B *)$%,#5$'
/B+"#51 $%1="-,#52
NACM NACS 0+5)"4 #1)"$-1$)$-52
M%1="-,#59 4 %"&5
3"&5$54, +,))5-#"2 +"-$"%#"2 "71#45 8"K1$ +%5)-,5-,1$)9 #1>,-5)58" "$ +"&5$545 (&9 &";5#, (+1%-"#,6,&'#";" -:"(, - )5)$18*)
![Page 81: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/81.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
O)+"&'>"-,#51 NAC Profiler (&9 4"#$%"&9 (")$*+, *)$%"2)$-
![Page 82: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/82.jpg)
82
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC Profiler: <'-%&3>-+,7# 3%581% 4,$1;"%52 +%"?5&5%"-,##B:
*)$%"2)$-
IP M1&1?"#B
3%5#$1%,
IP !,81%B
OH3
3! =1> ),+&54,#$"-
Collector Profiler
Non-802.1X Devices On Your Network
NAC Profiler
!"#$
%&'(
#)(
*+#)
,+%)
#-
F'2E%"%'27#*%- 3+,'2/+,7 <=#,%*K1#51 -)1: )1$1-B: *)$%"2)$- +" $5+* 5 81)$"#,:"K(1#5I 3"((1%K4, - %1,&'#"8 -%181#5 5 5)$"%561)45 )$,$*) "=#,%*K1##B: *)$%"2)$-
M2*%,2'%*8 3+,'2/+,7 F"#5$"%5#; )")$"9#59 )1$1-B: *)$%"2)$- <=#,%*K1#51 )"=B$52 ) +"((1&4"2 ,(%1)"-, 5>81#1#51 +"%$"- 5 $.+.
![Page 83: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/83.jpg)
83
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'2E%"%'27#*%-
Profiler collector )"=5%,1$ 5 4"%%1&5%*1$ ,$%5=*$B (&9 5(1#$5?54,755 4"#16#B: *)$%"2)$- . M,458 "=%,>"8 +%"?5&' )")$"5$ 5> #,="%, ,$%5=*$"-.
NAC Profiler Server
Profiler Collector
• CDP • Netflow (IP ,(%1) 5 +"%$)
• DHCP Vender ID
• MAC OUI
V$" $,4"1 +%"?5&' $1&1?"#,? / Profiler Server, ,(85#5)$%,$"% "+%1(1&5& “$1&1?"#” 4,4 • MAC OUI = Cisco Systems • CDP ID = SEP00BFDFCD658 • DHCP vendor id = IP phone • M%,?54 = RTP, SIP 5 Skinny
@#$5)+*?5#;: W)&5 “$1&1?"#” #,65#,1$ )&,$' $%,?54 "$&56#B2 "$ ;"&")"-";", $" *)$%"2)$-" #1 =*(1$ ="&11 +%"?5&5%"-,$')9 4,4 $1&1?"#.
![Page 84: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/84.jpg)
84
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
G,'%)3,. 12*-;*.6 3+,'2/+,7 $"9 2<'-$-"-*%9 <'2E%"9
Layer 2 • MAC ,(%1)/-1#("%
• DHCP ,$%5=*$B: – Vendor Class Identifier
– Hostname
– DHCP Options (4 +%581%* "+759 150 (&9 IP phones)
• C61$#,9 5#?"%8,759 RADIUS
Layer 3-7 • <$4%B$B1 +"%$B TCP • M5+ $%,?54, • M5+ Web User Agents • 0""$-1$)$-51 Web URL • H,##1%B -)$%"1##";" Web
)1%-1%, • H,##1%B -)$%"1##";"
SMTP )1%-1%, • O#?"%8,759 " )1$1-"8
)$141 • O89 DNS • CDP • <+5),#51 SNMP System
Description
![Page 85: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/85.jpg)
85
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC <'2E%"4 7 %*E'#+,'31,3'- 802.1X The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your
0"=%,##B1 (,##B1 +%" *)$%"2)$-, C+%,-&1#51 5 4"#$%"&'
LDAP Query/LDAP Response
NAC Profiler Server
Cisco Secure ACS
NAC Profiler Collector
NAC Profiler Collector O#$1;%,759 61%1>
LDAP
![Page 86: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/86.jpg)
86
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
802.1X % Profiler LDAP %*,-8'#?%9
• Profiler 5#$1;%5%*1$)9 ) ACS 5)+"&'>*9 LDAP (&9 4&,))5?54,755 +" MAC-,(%1),8 MAC Authentication Bypass (MAB).
• Profiler +1%1(,1$ )&1(*IP*I 5#?"%8,75I - ACS : – MAC ,(%1) #,2(1##";" *)$%"2)$-, – E,>-,#51 +%"?5&9
• Profiler 8"K1$ >,)$,-5$' +"%$ 4"88*$,$"%, +"-$"%#" ,*$1#$5?575%"-,$' *)$%"2)$-"- “+1%1(1%;5-,9” +"%$.
![Page 87: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/87.jpg)
87
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC Profiler c NAC Appliance
NAC API 5 Direct SQL
01%-1% NAC Profiler
NAC Manager
NAC Server1 w/ NAC Profiler
Collector
NAC Server1 w/ NAC Profiler
Collector
0"=%,##B1 (,##B1 +%" *)$%"2)$-, C+%,-&1#51 & 4"#$%"&'
![Page 88: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/88.jpg)
88
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
(*,-8'#?%9 + NAC Manager • /)1 4"#16#B1 *)$%"2)$-, 4&,))5?575%*I$)9 ) +"8"P'I NAC Profiler. Profiler "$?5&'$%"-B-,1$ +%"?5&5%"-,##B1 *)$%"2)$-, 5 +1%1(,1$ 5#?"%8,75I - NAC manager. 0&1(*IP51 (,##B1 +1%1(,I$)9 61%1> NAC Manager API:
– MAC ,(%1) *)$%"2)$-,
– <+5),#51
– M5+ (")$*+, (Allow, Deny, Role , Check, Ignore)
• 3%"?,2&1% +%"("&K,1$ 8"#5$"%5$' *)$%"2)$-, (&9 $";" 6$"=B *=1(5$')9, 6$" +%"?5&' #1 5>81#5&)9. W)&5 +%"?5&' 5>81#5&)9 (+"$"8* 6$" *)$%"2)$-" =B&" +"(81#1#"), Profiler 5#?"%85%*1$)9 NAC manager 5 *)$%"2)$-" +1%14&,))5?575%*1$)9.
![Page 89: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/89.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
C+%,-&1#51 ;")$1-B8 (")$*+"8
![Page 90: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/90.jpg)
90
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
@<?%% 3<'#7"-*%9 82+,-7.& $2+,3<2&
M%5 "+755 (&9 *+%,-&1#59 ;")$1-B85 >,+5)985 • ."4,&'#,9 -1=-,*$1#$5?54,759 #,
4"88*$,$"%1 – O)+"&'>*1$)9 - ")#"-#"8 - #1="&'D5: -#1(%1#59:
– 3%"-"(#"1 +"(4&I61#51
• A1#$%,&5>"-,##B2 )1%-1% NAC Guest – O)+"&'>*1$)9 (&9 ="&'D5: -#1(%1#52
– 3"((1%K5-,1$)9 +%"-"(#"1 / =1)+%"-"(#"1 +"(4&I61#51
– Q5=451 -">8"K#")$5 -B(,65 ;")$1-B: >,+5)12
• A1#$%,&5>"-,#" #, Wireless Controller – R5%"4" 5)+"&'>*1$)9, 4";(, ;")$5 +"(4&I6,I$)9 $"&'4" =1)+%"-"(#"
M5+B ;")$1-";" (")$*+,
Group: Contractor
Group: Guest
![Page 91: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/91.jpg)
91
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Q%1" 3<'#7"-*%9 82+,-7.& $2+,3<2&
./.0.12.310.4
C3L@/.WEOW
C/WS<F.WEOW
<MVWME<0MZ
52B$#*%- 82+,-7282 "28%*#
A<'#7"-*%- 82+,-7.&% "28%*#&%
F'-$2+,#7"-*%- "28%*27 82+,9&
@,;-,*2+,4 <2 82+,9&
S1&1;5%"-,#51 +"&#"8"652 )">(,#59 *61$#B: >,+5)12 3,41$#"1 )">(,#51 *61$#B: >,+5)12
L,)+16,$,$'
3")&,$' +" X&14$%"##"2 +"6$1
3")&,$' 61%1> SMS
3%")8,$%5-,$', %1(,4$5%"-,$', ,-$"8,$561)45 =&"45%"-,$'
C+%,-&1#51 ;%*++,85 *61$#B: >,+5)12
3%")8"$% "$61$"- +" )1$1-"8* $%,?54*
3%")8"$% "$61$"- +" (12)$-598 ) *61$#B85 >,+5)985
![Page 92: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/92.jpg)
92
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
TrustSec NAC Guest Server • F#";"?*#475"#,&'#"1
*)$%"2)$-" (+&,$?"%8, NAC Appliance 3315)
• /1)' K5>#1##B2 754& *+%,-&1#59 ;")$1-B8 (")$*+"8
• Y")$5#; )$%,#57 (&9 :"$)+"$"- ,*$1#$5?54,755
NAC Guest Server (NGS) 2.02
Active Directory ) +"((1%K4"2 SSO LDAP RADIUS Kerberos
• Q5=452 -1=-+"%$,& (&9 )"$%*(#54"- 4"$"%B1 >,4,>B-,I$ ;")$1-B1 *61$#B1 >,+5)5 ) 5#$1;%,7512 -:
![Page 93: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/93.jpg)
93
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
I#)2,# +-,-7.6 3+,'2/+,7 + NAC Guest
01$1-B1 *)$%"2)$-, "=1)+165-,I$ 4"#$%"&' (")$*+, ;")$1-";" +"&'>"-,$1&9
– <=1)+165-,I$ ,-$"8,$561)452 %1(5%14$ #, +"%$,&
– @*$1#$5?575%*1$ +"&'>"-,$1&9 ) +"8"P'I ;")$1-";" )1%-1%,
– <=1)+165-,1$ +%581#1#51 +%,- (")$*+,
– 0":%,#9I$ 5#?"%8,75I " )1$1-"2 ,4$5-#")$5
Cisco NAC Appliance – <71#4, )""$-1$)$-59
– 3%"-"(#"1 5 =1)+%"-"(#"1 +%581#1#51
Cisco Wireless LAN Controllers – /)$%"1##B1 -">8"K#")$5 ;")$1-";" (")$*+,
– 3%"-"(#"1 5&5 =1)+%"-"(#"1 5)+"&'>"-,#51
– /)$%"1##B1 ?*#4755 $*##1&5%"-,#59 ;")$1-";" $%,?54, (anchor controller)
0 +"8"P'I RADIUS ,*$1#$5?54,755 +"((1%K5-,1$)9 &I="1 *)$%"2)$-"
![Page 94: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/94.jpg)
94
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Active Directory
RADIUS Proxy
5?-*#'%/ %+<2"4B27#*%9 A*%E%?%'27#**#9 7-)-#3,-*,%E%1#?%9 $"9 <'272$*282 % )-+<'272$*282 $2+,3<27 +2,'3$*%127 % 82+,-/
SSC
Employee
Q")$'
3,%5$1$ (&9 Wired / WLAN
A1#$%,&5>"-,##,9 +"&5$54, 5 *61$
0"-81)$58")$' 802.1X/MAB 0"$%*(#54
NAC Guest
Server 2.0.2
ACS 5.1
![Page 95: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/95.jpg)
95
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
@,;-, <2 #1,%7*2+,% 82+,-/
Internet
(&9: guestname IP #$'-+: 10.1.1.1
!'-&9 "28%*#: 15:05 !'-&9 "28#3,#: 14:30
15:07 10.1.1.1 accessed http://www.cisco.com 15:08 10.1.1.1 used the bittorrent protocol 15:09 10.1.1.1 connected to vpn.mycompany.com
C2*+2"%$%'27#**#9 2,;-,*2+,4 2) #1,%7*2+,%
![Page 96: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/96.jpg)
96
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
:-,#"4*./ #3$%, 82+,-72/ #1,%7*2+,%
! !";(, -B+"# -:"(
! Q(1 -B+"# -:"(
! @(%1) ;")$9
! V$" (1&,& ;")$'
! V$" =B&" %,>%1D1#"
! V$" =B&" >,+%1P1#"
![Page 97: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/97.jpg)
97
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!.72$. • Cisco Secure ACS 5.x 9-&91$)9 9(%"8 )5)$18B
TrustSec 5 +">-"&91$ "61#' ;5=4" *+%,-&9$' +"&#"8"65985 (")$*+,
• Cisco LMS 4.0 "=1)+165-,1$ 71&")$#"1 *+%,-&1#51 (&9 -#1(%1#59 TrustSec/802.1x
• L1D1#51 Cisco TrustSec "=&,(,1$ ="&'D58 65)&"8 ("+"$1&'#B: )1%-5)"- (;")$1-"2 (")$*+, +"((1%K4, +%"?5&5%"-,#59 *)$%"2)$- =1> ,;1#$"-, 5#$1;%5%"-,##"1 *+%,-&1#51) 5 9-&91$)9 &5(1%"8 #, %B#41 NAC +" ?*#475"#,&*
• S,&'#12D58 %,>-5$518 %1D1#52 Cisco TrustSec 9-&91$)9 ="&11 $1)#,9 5#$1;%,759 - 1(5#"2 +&,$?"%81
![Page 98: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/98.jpg)
98
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!2<'2+. % @,7-,.
![Page 99: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759](https://reader034.vdocument.in/reader034/viewer/2022042412/5f2b89688ac20f387526f5a7/html5/thumbnails/99.jpg)
99
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M. 62,-"% ). 3B*#,4 !#J- &*-*%-
F20#"3/+,#, B#<2"*%,- #*1-,3