cisco acs eduroam
TRANSCRIPT
Cisco Secure ACS OverviewOverview
By Igor Koudashev, Systems Engineer, Cisco Systems [email protected]
© 2006 Cisco Systems, Inc. All rights reserved. 1
Cisco Secure Access Control SystemP li C t l d I t ti P i t f N t k APolicy Control and Integration Point for Network Access
Enterprise network access control platformRemote Access (VPN)Wireless & Wired Access (LEAP, PEAP, EAP-FAST,
802.1x, etc)Administrative access control system for Cisco network devices (TACACS+)Administrative access control system for Cisco network devices (TACACS )
Auditing, compliance and accounting featuresControl point for access policy & application access integrationCisco Access Control System for management, Policy Decision Point (PDP) evaluation, reporting, and troubleshooting of access control policy
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 2
Consistent Policy Control and Compliance
Key Scenarios
Compliance
yDevice Administration
Remote AccessCiscoWorks
Wireless and 802.1x
Network Admission Control (NAC)AD / LDAPACS
Compliance features Posture / Audit
Authentication policy (OTP, complex password…)
Authorization enforcement (network access, device command authorization…)
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 3
)
Audit logging
ACS – Network Access Control PointACS Network Access Control Point
Home OfficeRoad Warrior
Where?Who? Why?Provider
ISP AAADial Access
Cisco VPN Client
Road WarriorCampus UserGuest User
LaptopDevice
RemoteUsers
S f th
VPNConcentrator
Cisco or CCXWLAN Client
User Repository(LDAP, AD, OTP, ODBC)
Some of thepeople someof the time
All of the Concentrator
Aironet APWeb Auth
RADIUS
Ci S802 1x Supplicant
All of thepeople allof the time
All machines
Enterprise
Catalyst Switch
IOS RouterCTS D i
Cisco Trust AgentPosture Client
External Policy andAudit Servers(HCAP, GAME)
Cisco SecureACS
802.1x Supplicant
All devices
U M hi
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 4
EnterpriseCTS DevicePosture Client
NIC Controller(TRDP)
User, Machine,Posture
How is ACS usedHow is ACS used
Our customers use ACS for:1.Authentication and authorization (privileges) of remote users (traditional RADIUS)
2 S it f i d d i l t k (EAP)2.Security of wired and wireless networks (EAP)
3.Administrators' access management to network devices and applications (TACACS+)
4.Security audit reports or account billing information
Ships in two form factors: Software and ApplianceACS has been successful because it combines access security, authentication, user and administrator access, and policy control in a centralized identity framework
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 5
and policy control in a centralized identity framework
AAA – Related ProtocolsAAA Related Protocols
RADIUS – Remote Authentication Dial In UserService
TACACS+ - Terminal Access Controller Access Control SystemControl SystemTACACS+ is supported by the Cisco family of routers and access servers. This protocol is a completely new version of the TACACS t l f d b RFC 1492TACACS protocol referenced by RFC 1492.
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 6
What is RADIUS ?What is RADIUS ?
A protocol used to communicate between a network device and an authentication server or databaseauthentication server or database.
Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc.
Allows the communication of arbitrary value pairs using “Vendor Specific Attributes” (VSAs).
Can also act as a transport for EAP messages.g
RFC 2058
RADIUS HeaderUDP Header EAP Payload
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 7
How Cisco Secure ACS OperatesHow Cisco Secure ACS OperatesVariety of
AuthenticationMethods
TACACS+RADIUS
Local orVariety of External
Databases
AAA Client Cisco Secure ACS
Methods RADIUS Databases
(Network Access Server) Cisco Secure ACS
• AAA Client/Server-AAA Client defers authorization to centralized AAA server- Highly scalable- Highly scalable- Uses standards-based protocols for AAA services
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 8
Some important points of AuthenticationSome important points of Authentication
The process of authentication is used to verify a claimed identity
An identity is only useful as a pointer to an applicable policy and for accountingpolicy and for accounting
Without authorization or associated policies, authentication alone is pretty meaninglessauthentication alone is pretty meaningless
An authentication system is only as strong as the method of verification used
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 9
Network Access Control ModelNetwork Access Control ModelACSDevice Access
LAN
Wireless
Request for Service(Connectivity)
Backend AuthenticationSupport
Identity Store Integration
802.1x RADIUS
Protocols and Mechanism
Extensible Authentication Protocol (EAP RFC 3748)Extensible Authentication Protocol (EAP-RFC 3748)
IEEE 802.1x framework
f S
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 10
Use of RADIUS
How RADIUS is used here ?How RADIUS is used here ?
RADIUS acts as the transport for EAP, from the th ti t ( it h) t th th ti tiauthenticator (switch) to the authentication server
(RADIUS server)RFC for how RADIUS should support EAP between ppauthenticator and authentication server—RFC 3579
RADIUS Header EAP PayloadUDP HeaderIP Header
RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs
Usage guideline for 802 1x authenticators use of
RADIUS Header EAP PayloadUDP HeaderUDP HeaderIP Header AV Pairs
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 11
Usage guideline for 802.1x authenticators use of RADIUS—RFC 3580
What’s EAP ?What s EAP ?
EAP – The Extensible Authentication ProtocolA flexible protocol used to carry arbitrary authentication information – not the authentication method itself.Rose out of need to reduce complexity of relationshipsRose out of need to reduce complexity of relationships between systems and increasing need for more elaborate and secure authentication methodsmethodsTypically rides directly over data-link layers such as 802.1x or PPP media.Originally specified in RFC 2284, obsolete by RFC 3748
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 12
What does it do ?What does it do ?Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloadsA switch or access point becomes a conduit for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry EAP informationEstablishes and manages connection allo s a thentication bEstablishes and manages connection; allows authentication by encapsulating various types of authentication exchanges; EAP messages can be encapsulated in the packets of other protocols, such as 802.1x or RADIUSThree forms of EAP are specified in the standard
EAP-MD5—MD5 hashed username/passwordEAP-OTP—one-time passwordsEAP GTC t k d i l t ti i i i tEAP-GTC—token-card implementations requiring user input
802 1 H d EAP P l dEth t H d
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 13
802.1x Header EAP PayloadEthernet Header
Current Prevalent Authentication M th dMethods
Challenge-response-basedEAP-MD5: Uses MD5 based challenge-response for authenticationLEAP: Uses username/password authenticationEAP-MSCHAPv2: Uses username/password MSCHAPv2 challenge-response authentication
Cryptographic-basedEAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication
T nneling methodsTunneling methodsPEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel—much like web based SSLEAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnelEAP-FAST: Recent tunneling method designed to not require certificates at all for deployment
OtherEAP-GTC: Generic token and OTP authentication
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 14
EAP GTC: Generic token and OTP authentication
IEEE 802.1xIEEE 802.1x802.1x is a client-server-based access control and authentication
protocol that restricts unauthorized devices from connecting
ACS - AAAServer
protocol that restricts unauthorized devices from connectingto a LAN through publicly accessible ports
Server
234
1
1 User activates link (ie: turns on the PC)
2 Switch requests authentication server if user is authorized to access LAN3 Authentication server responds with authority access
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 15
34
Authentication server responds with authority access
Switch opens controlled port (if authorized) for user to access LAN
Features and Functions
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 16
Hardware/Software PlatformHardware/Software Platform
ACS implements identity CS p e e s de ymanagement and AAA services
CD-ROM version for any Windows 2003 server
Appliance version deliveredAppliance version delivered on hardened Win2003 OS
Highly scalable (100 000+Highly scalable (100,000+ users, thousands of RADIUS/TACACS+ devices) and feature rich
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 17
and feature-rich
Features Unique to the ACS ApplianceFeatures Unique to the ACS Appliance
Security-hardened underlying OS.Port-based packet filtering, allowing connections only to the ports necessary for Cisco Secure ACS operation.Serial console interface for initial configuration, subsequent
t f IP ti W b i t f d li ti fmanagement of IP connections, Web interface, and application of upgrades and remote reboots. The serial console interface supports both serial line and Telnet connections.SNMP read-only support to monitor the appliance from externalSNMP read only support to monitor the appliance from external systems.Backup/restore of the Cisco Secure ACS data via FTP.Recovery proceduresRecovery procedures.Network Timing Protocol (NTP) support for maintaining network time consistency with other appliances or network devices.
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 18
ACS – The Policy Based Network ControllerController
ACS Versions in the field:
ACS 4.0 SW (FCS 2004) -> main feature NAC Phase 2 ( L2 Posture Validation andL2 Posture Validation and external audit, service based policy))ACS 4.1 SW (FCS 2006) ->
i f t t d d l imain feature extended logging support, new ACS administrator management, PEAP/EAP-TLS support, Japanese Microsoft WindowsJapanese Microsoft Windows Support ACS 4.2 SW (FCS 2008)
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 19
Service Based PolicyService Based PolicyThe administrator entirely controls the ACS behavior by configuring aggregated Service Based Policies:aggregated Service Based Policies:
–How to process an access request: do (not) authenticate / using which auth protocols / do (not) validate posture / which posture protocols…do (not) validate posture / which posture protocols…
–Credential validation policies (i.e. which DB to use for auth)…
–Classification: map identity to user-group, map posture credentials to posture tokenposture-token…
–Authorization policies: map from user-group & posture-token to radius profile…
Different policies can be applied to different network access.Example: wireless access vs. remote (VPN) access policy
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 20
ACS FeaturesACS Features
Automatic service monitoring, database synchronization, and importing tools for large-scale deploymentsimporting tools for large scale deployments LDAP, ODBC and OTP (RSA, others) user authenticationFlexible 802.1X authentication support, including EAP-TLS, Protected EAP (PEAP), Cisco LEAP, EAP-FAST, and EAP-MD5Protected EAP (PEAP), Cisco LEAP, EAP FAST, and EAP MD5Downloadable ACLs for any Layer 3 device, including routers, PIX® firewalls, and VPNs (per user, per group)Network & machine access restrictionsNetwork & machine access restrictions and filters Device command set authorization Detailed audit and accounting reportsDetailed audit and accounting reports Dynamic quota generation User and device group profiles
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 21
DeploymentDeployment Scenarios
Cisco Secure ACS
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 22
Network Access ScenarioCentralized Access Control Server
Network Access ScenarioCentralized Access Control Server
Remote User
Centralized Access
Control Server
Provider
ISP AAA
Remote Access - VPN
Remote User
ACS View
VPNConcentrator
Wireless802.1x – EAP-TLS
Wireless User
Aironet APRADIUS User Repository
(LDAP, AD,OTP, ODBC)
Cisco SecureWired user
Enterprise
Catalyst Switch
IOS RouterExternal Policy and
Audit Servers
ACS
LAN802.1x – EAP-FAST
Wired user
(HCAP, GAME)
Device Administration ScenarioDevice Administration ScenarioRouters, Switches, APs
Network Administrators Backbone
FULL ACCESSWest-APs
EastPARTIAL
READ ONLY
ACS
Security Perimeter
East
Syslog, ACS or RA logging server
UnixSERVER ACCESS
T+ or RADIUS
replication
DSMS
PBXSERVER ACCESS
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 24
Terminal Server System Access
Secure auth mechanisms
GUI Interface/Screen Shots
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 25
Cisco Secure ACS – Accessing GUICisco Secure ACS Accessing GUI
Remote Administrator authentication page ( http://server-name/IP:2002 )Administrator must be configured prior to remote login.If accessed on the local system (for example, using 127.0.0.1 as the IP address) this page is not displayed and the administrator gains access.
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 26
Cisco Secure ACS Home PageCisco Secure ACS Home Page
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 27
NAP – Network Access ProfileNAP Network Access Profile
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 28
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 29