eID Cards eID Cards and “Identity Based and “Identity Based Networking Services”Networking Services”
Because “Networks” are an integral Because “Networks” are an integral part of the total solution.part of the total solution.
Walter GillisAccount Manager, for Flemish [email protected].: +32 476 476 006
Cisco IBNS - eID
The Political - Techn Challenge.The Political - Techn Challenge.Opening-up the “internal network”Opening-up the “internal network”
Align the social infrastructure Align the social infrastructure with the collaborative needs of with the collaborative needs of their “Citizens”. their “Citizens”. Work, Learn, Play !Work, Learn, Play !
ChangeChange from from “controlling the flows of info” “controlling the flows of info”
into into “facilitate networks of “facilitate networks of info”.info”.
Who is sitting next to you and Who is sitting next to you and what can you/he do ?what can you/he do ?
Cisco IBNS - eID
IBNS in practice.IBNS in practice.
Library. Library. A wired and/or wireless network A wired and/or wireless network
is offered to access resources is offered to access resources like Internet, Printers, Web-like Internet, Printers, Web-servers, …servers, …
Access for “civil servants” is Access for “civil servants” is different then for “citizens” :different then for “citizens” : Citizens only need to have access Citizens only need to have access
to Internet, Printers and city web-to Internet, Printers and city web-servers.servers.
Civil Servants can access internal Civil Servants can access internal applications by using their eIDapplications by using their eID
Cisco IBNS - eID
IBNS in practice : IBNS in practice : TeleworkingTeleworking
Teleworking using SSL-VPN’sTeleworking using SSL-VPN’s Citizens ;Citizens ;
Can “authenticate” the user in the Can “authenticate” the user in the eLocket application in stead of the eLocket application in stead of the connection by using IBNS with eID. connection by using IBNS with eID. Avoid that unknown neighbor is Avoid that unknown neighbor is listening in.listening in.
Public ServantPublic Servant Can use ALL the internal Can use ALL the internal
applications (data/voice) as if @ applications (data/voice) as if @ work. work.
Cisco IBNS - eID
……While the Assets Needing to While the Assets Needing to be Protected are Expandingbe Protected are Expanding
Service Provider/Internet
Teleworker
City Hall
VPNHead-End
CableProvider
831
AirportLibrary
Partner/Vendor
One physical network, must accommodate multiple logical networks (user groups) each with own rules.
Cisco IBNS - eID
IDENTITY:IDENTITY:So, you said MAC Address ? So, you said MAC Address ?
Win 2K & XP Win 2K & XP allow easy allow easy change for MAC change for MAC addressesaddresses
MAC address is MAC address is not an not an authentication authentication mechanism…mechanism…
Cisco IBNS - eID
User Identity BasedNetwork Access
Determining “who” gets access Determining “who” gets access and “what” they can doand “what” they can do
User Based Policies Applied(BW, QoS etc)
Campus Network
Equivalent to placing a Security Guard at each Switch PortEquivalent to placing a Security Guard at each Switch Port Only Authorized users can get Network AccessOnly Authorized users can get Network Access Unauthorized users can be placed into “Guest” VLANsUnauthorized users can be placed into “Guest” VLANs Prevents unauthorized APsPrevents unauthorized APs
AuthorizedUsers/Devices
UnauthorizedUsers/Devices
Cisco IBNS - eID
Some IEEE TerminologySome IEEE Terminology
IEEE TermsIEEE Terms Normal People Normal People TermsTerms
SupplicantSupplicant ClientClient
AuthenticatorAuthenticator Network Access DeviceNetwork Access Device
Authentication ServerAuthentication Server AAA/RADIUS ServerAAA/RADIUS Server
Cisco IBNS - eID
Wired Access Control Wired Access Control ModelModel
Client and Switch Talk 802.1x Switch Speaks to Auth Server Using RADIUS
Actual Authentication Conversation Is between Client and Auth Server Using EAP;the Switch Is Just a Middleman, but Is Aware of What’s Going on
• RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server)
•RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs.
RADIUS Header EAP PayloadUDP HeaderUDP HeaderIP HeaderIP Header AV Pairs
Identity Based Network Identity Based Network Services (IBNS)Services (IBNS)
Login Request
Login Info
Verify Login and Check with Policy DB
Login Good!Apply Policies
• Set port to enable• set port vlan 10
VLAN 10
Engineering VLAN
Switch applies policies and enables port.
Login + Certificate
Login Verified
CiscoSecure ACS
AAA Radius Server
802.1x Authentication Server
Active Directory
Login and Certificate Services
6500 Series Access Points
4000 Series
3550/2950 Series
802.1x Capable Access Devices
802.1x Capable ClientIEEE802.1x+ VLANS+ VVID+ ACL+ QoS
Active Directory
Cisco IBNS - eID
Campus Identity - Campus Identity - SupplicantsSupplicants
• Possible End-Points : Windows XP – YesWindows 2000 – Yes (SP3 + KB)Linux – YesHP-UX – YesSolaris - YesHP Printers – YesWindows 98 – LimitedWindows NT4 – LimitedApple – yesIP Phones – yesWLAN APs – yes….
Windows HP Jet Direct
Solaris 7920 Apple
IP Phones WLAN APsPocket PC
Cisco IBNS - eID
Cisco IBNSCisco IBNS Features and Features and BenefitsBenefits
Enhanced Port Based Enhanced Port Based Access ControlAccess Control
Greater flexibility and Greater flexibility and mobility for a mobility for a stratified user stratified user communitycommunity
Enhanced User Enhanced User ProductivityProductivity
Added support for Added support for converged VoIP converged VoIP networksnetworks
• Centralized Management with Cisco Secure ACS
• Wireless Mobility with 802.1X and EAP Authentication Types
• Catalyst Switch Portfolio
• Basic 802.1X Support
• 802.1X with VLANs
• 802.1X with Port Security
• 802.1X with VVID
• 802.1X Guest VLANs
• 802.1X with ACLs
• High Availability for 802.1X
• High Availability for Port Security
Cisco IBNS - eID
RADIUS/TACACS+
Authentication,Limited
authorization
AAA Client AAA server Unknown User DBEnd User Client
Cisco Secure ACS in a Cisco Secure ACS in a NutshellNutshell
Pervasive identity networking solution and centralized secure user/admin AAA experience for
Cisco intelligent information networksEnd User Client AAA client Cisco Secure ACS User DB
PAP, CHAP, MSCHAP (dial, VPN)
LEAP (Wireless)
EAP-MD5, EAP-TLS, PEAP (802.1X for Wired and Wireless LAN)
Windows 98, ME, NT4, 2000, XP, MAC, Linux…
CSDB
NT/AD
NDS
LDAP
ODBC
OTP
RADIUS proxy
AS53xx/AS54xx (dial)
DSL, VoIP, Cable
CE/CDM (Content)
IOS routers
PIX/VPN
Wireless (aironet)
2950/3550/4x00/6500 (Catalyst)
VMS, HSE, WSLE (Cisco Works)…
Windows 2000
Windows Server 2003
1RU Appliance
Cisco IBNS - eID 161616© 2002, Cisco Systems, Inc. All rights reserved.