cisco acs overview
DESCRIPTION
ACS Information OverviewConsistent Policy Control andComplianceHow is ACS usedWhat is RADIUS ?How Cisco Secure ACS OperatesVariety ofAuthenticationMethodsTACACS+RADIUSLocal orVariety of ExternalDatabasesAAA ClientACS(Network Access Server)Cisco Secure • AAA Client/Server-AAA Client defers authorization to centralized AAA server- Highly scalable- Uses standards-based protocols for AAA servicesPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 8TRANSCRIPT
-
Cisco Secure Access Control SystemP li C t l d I t ti P i t f N t k APolicy Control and Integration Point for Network Access
Enterprise network access control platformRemote Access (VPN)
Wireless & Wired Access (LEAP, PEAP, EAP-FAST, 802.1x, etc)
Administrative access control system for Cisco network devices (TACACS+)Administrative access control system for Cisco network devices (TACACS ) Auditing, compliance and accounting features Control point for access policy & application access integration Cisco Access Control System for management, Policy Decision Point (PDP) evaluation, reporting, and troubleshooting of access control policy
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 2
-
Consistent Policy Control and Compliance
Key Scenarios
Compliance
y Device Administration Remote Access CiscoWorks Wireless and 802.1x Network Admission Control (NAC) AD / LDAPACS
Compliance featuresPosture / Audit
Authentication policy (OTP, complex password) Authorization enforcement (network access, device command authorization)
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 3
) Audit logging
-
ACS Network Access Control PointACS Network Access Control Point
Home OfficeRoad Warrior
Where?Who? Why?
Provider
ISP AAADial Access
Cisco VPN Client
Road WarriorCampus UserGuest User
LaptopDevice
Remote
Users
S f th
VPNConcentrator
Cisco or CCXWLAN Client
User Repository(LDAP, AD, OTP, ODBC)
Some of the
people some
of the time
All of the Concentrator
Aironet APWeb Auth
RADIUS
Ci S802 1x Supplicant
All of the
people all
of the time
All machines
Enterprise
Catalyst Switch
IOS Router
CTS D i
Cisco Trust AgentPosture Client
External Policy andAudit Servers(HCAP, GAME)
Cisco SecureACS
802.1x Supplicant
All devices
U M hi
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 4
EnterpriseCTS DevicePosture Client
NIC Controller(TRDP)
User, Machine,
Posture
-
How is ACS usedHow is ACS used
Our customers use ACS for:1.Authentication and authorization (privileges) of remote users
(traditional RADIUS)
2 S it f i d d i l t k (EAP)2.Security of wired and wireless networks (EAP)
3.Administrators' access management to network devices
and applications (TACACS+)
4.Security audit reports or account billing information Ships in two form factors: Software and Appliance ACS has been successful because it combines accesssecurity, authentication, user and administrator access, and policy control in a centralized identity framework
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 5
and policy control in a centralized identity framework
-
AAA Related ProtocolsAAA Related Protocols
RADIUS Remote Authentication Dial In UserService TACACS+ - Terminal Access Controller AccessControl SystemControl System
TACACS+ is supported by the Cisco family of routers and access servers. This protocol is a completely new version of the TACACS t l f d b RFC 1492TACACS protocol referenced by RFC 1492.
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 6
-
What is RADIUS ?What is RADIUS ?
A protocol used to communicate between a network device and an authentication server or databaseauthentication server or database. Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc. Allows the communication of arbitrary value pairs using Vendor Specific Attributes (VSAs). Can also act as a transport for EAP messages.g RFC 2058
RADIUS HeaderUDP Header EAP Payload
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 7
-
How Cisco Secure ACS OperatesHow Cisco Secure ACS Operates
Variety ofAuthentication
MethodsTACACS+RADIUS
Local orVariety of External
Databases
AAA ClientCisco Secure ACS
Methods RADIUS Databases
(Network Access Server)Cisco Secure ACS
AAA Client/Server-AAA Client defers authorization to centralized AAA server- Highly scalable- Highly scalable- Uses standards-based protocols for AAA services
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 8
-
Some important points of AuthenticationSome important points of Authentication
The process of authentication is used to verify a claimed identity An identity is only useful as a pointer to an applicable policy and for accountingpolicy and for accounting Without authorization or associated policies, authentication alone is pretty meaninglessauthentication alone is pretty meaningless An authentication system is only as strong as the method of verification used
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 9
-
Network Access Control ModelNetwork Access Control Model
ACSDevice Access
LAN
Wireless
Request for Service(Connectivity)
Backend AuthenticationSupport
Identity Store Integration
802.1x RADIUS
Protocols and Mechanism Extensible Authentication Protocol (EAP RFC 3748) Extensible Authentication Protocol (EAP-RFC 3748) IEEE 802.1x frameworkf S
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 10
Use of RADIUS
-
How RADIUS is used here ?How RADIUS is used here ?
RADIUS acts as the transport for EAP, from the th ti t ( it h) t th th ti tiauthenticator (switch) to the authentication server
(RADIUS server) RFC for how RADIUS should support EAP between ppauthenticator and authentication serverRFC 3579
RADIUS Header EAP PayloadUDP HeaderIP Header
RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs
Usage guideline for 802 1x authenticators use ofRADIUS Header EAP PayloadUDP HeaderUDP HeaderIP Header AV Pairs
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 11
Usage guideline for 802.1x authenticators use ofRADIUSRFC 3580
-
Whats EAP ?What s EAP ?
EAP The Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information not the authentication method itself. Rose out of need to reduce complexity of relationships Rose out of need to reduce complexity of relationshipsbetween systems and increasing need for more elaborate and secure authentication methodsmethods Typically rides directly over data-link layers such as 802.1x or PPP media. Originally specified in RFC 2284, obsolete by RFC 3748
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 12
-
What does it do ?What does it do ?
Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloads A switch or access point becomes a conduit for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry EAP information
Establishes and manages connection allo s a thentication b Establishes and manages connection; allows authentication byencapsulating various types of authentication exchanges; EAP messages can be encapsulated in the packets of other protocols, such as 802.1x or RADIUS Three forms of EAP are specified in the standard
EAP-MD5MD5 hashed username/password
EAP-OTPone-time passwords
EAP GTC t k d i l t ti i i i tEAP-GTCtoken-card implementations requiring user input
802 1 H d EAP P l dEth t H d
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 13
802.1x Header EAP PayloadEthernet Header
-
Current Prevalent Authentication M th dMethods
Challenge-response-basedEAP-MD5: Uses MD5 based challenge-response for authentication
LEAP: Uses username/password authentication
EAP-MSCHAPv2: Uses username/password MSCHAPv2 challenge-response authentication Cryptographic-basedEAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication
T nneling methods Tunneling methodsPEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnelmuch like web based SSL
EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel
EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment OtherEAP-GTC: Generic token and OTP authentication
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 14
EAP GTC: Generic token and OTP authentication
-
IEEE 802.1xIEEE 802.1x
802.1x is a client-server-based access control and authentication
protocol that restricts unauthorized devices from connecting
ACS - AAA
Server
protocol that restricts unauthorized devices from connecting
to a LAN through publicly accessible ports
Server
2
34
1
1 User activates link (ie: turns on the PC)
2 Switch requests authentication server if user is authorized to access LAN
3 Authentication server responds with authority access
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 15
3
4
Authentication server responds with authority access
Switch opens controlled port (if authorized) for user to access LAN
-
Features and Functions
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 16
-
Service Based PolicyService Based Policy
The administrator entirely controls the ACS behavior by configuring aggregated Service Based Policies:aggregated Service Based Policies:
How to process an access request:
do (not) authenticate / using which auth protocols /
do (not) validate posture / which posture protocolsdo (not) validate posture / which posture protocols
Credential validation policies (i.e. which DB to use for auth)
Classification: map identity to user-group, map posture credentials to
posture tokenposture-token
Authorization policies: map from user-group & posture-token to radius
profile Different policies can be applied to different network access.Example: wireless access vs. remote (VPN) access policy
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 20
-
ACS FeaturesACS Features
Automatic service monitoring, database synchronization, and importing tools for large-scale deploymentsimporting tools for large scale deployments LDAP, ODBC and OTP (RSA, others) user authentication Flexible 802.1X authentication support, including EAP-TLS, Protected EAP (PEAP), Cisco LEAP, EAP-FAST, and EAP-MD5Protected EAP (PEAP), Cisco LEAP, EAP FAST, and EAP MD5 Downloadable ACLs for any Layer 3 device, including routers, PIX firewalls, and VPNs (per user, per group) Network & machine access restrictionsNetwork & machine access restrictionsand filters Device command set authorization Detailed audit and accounting reportsDetailed audit and accounting reports Dynamic quota generation User and device group profiles
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 21
-
DeploymentDeploymentScenarios
Cisco Secure ACS
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 22
-
Network Access ScenarioCentralized Access Control Server
Network Access ScenarioCentralized Access Control Server
Remote User
CentralizedAccess
Control Server
Provider
ISP AAA
Remote Access - VPN
Remote User
ACS View
VPNConcentrator
Wireless
802.1x EAP-TLS
Wireless User
Aironet APRADIUS
User Repository(LDAP, AD,
OTP, ODBC)
Cisco SecureWired user
Enterprise
Catalyst Switch
IOS RouterExternal Policy and
Audit Servers
ACS
LAN
802.1x EAP-FAST
Wired user
(HCAP, GAME)
-
Device Administration ScenarioDevice Administration Scenario
Routers,Switches,APs
NetworkAdministrators Backbone
FULL ACCESS
West-APs
EastPARTIAL
READ ONLY
ACS
Security Perimeter
East
Syslog, ACS or RA loggingserver
UnixSERVER ACCESS
T+ or RADIUS
replication
DSMS
PBXSERVER ACCESS
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 24
Terminal Server System Access
Secure auth mechanisms
-
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 29