© 2013 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Joining Audio Broadcast

2

1.  Audio Broadcast window should automatically pop up; Audio will be streamed through your computer speakers

2.  If Audio Broadcast window does not appear, go to Communicate menu and select Audio Broadcast

3.  You will hear hold music until the event begins

4.  If you are unable to hear via your PC speakers, click the Phone button to request dial-in instructions

© 2013 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Submit Questions

3

1.  Click on the Q&A arrow to expand the Q&A panel

2.  Type your question Technical Assistance – send to Host Content Questions – send to All Panelists

3.  Click the Send button

© 2013 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Thank You for Joining Us Today

5

Download a copy of todays slides using the link in the chat.

Today’s webcast will be available on-demand within 48hrs.

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

Your Presenter

6

Brandon Carroll

The ABC’s Of Identity Management Session ID CP-1002

Brandon Carroll, CCIE #23837

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

AAA Identity Management Security

8

Introduction

Overview of Identity Management

TACACS+ RADIUS

802.1X

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

AAA

12

AAA is a Framework

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

Authentication

§ Who are you?

§ Can be based on: –  Something you have –  Something you know –  Something you are

§ Without identifying who you are, how can I determine what your privileges should be?

§  Providing Authentication Information = Keys to the lock

13

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

Authorization

14

§ What can you do? –  Can you access privilege exec on a router? –  Can you surf the Internet? –  Can you access VLAN100? –  Do you need to be postured?

§  The bigger chunk of what we do. –  Most of the policy is here.

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

Accounting

§  A Paper Trail –  Good to know what went on. –  We can then go back and analyze

15

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

A Question Arises…

16

Where’s all this information stored?

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

Local vs. Remote

17

Local is limited…

However,

Offloading the control gives us much more capability

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

Two External Protocols and Two External Servers

§ TACACS+ § RADIUS

§ Cisco Secure Access Control Server

§ Cisco Identity Services Engine

18

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

TACACS+

19

§  Terminal Access Controller Access-Control System Plus §  Separate Authentication, Authorization & Accounting services §  TCP port 49 §  Encrypts the body of the packet for secure communications

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

RADIUS

20

§ Remote Authentication Dial In User Service § Developed by Livingston Enterprises, Inc. in 1991 § Uses UDP

–  Port 1645 (legacy) and 1812 for Authentication and Authorization –  Port 1646 (legacy) and 1813 for Accounting

§  Three responses from a RADIUS Server to a Network Access Device (NAD) –  Access Reject –  Access Challenge –  Access Accept.

§  Authorization values also sent to NAD (dACL, VLAN, SGT, etc…) –  Attribute Value Pairs (AVP) carry data in both the request and the response for the

authentication, authorization, and accounting transactions. –  Vendors can create their own Vendor-specific attributes

§ Uses a Shared-secret to obfuscate the passwords it passes. § Used for 802.1X authentication

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

802.1X

21

§  IEEE standard for Port-based Access Control

§ Mechanism for authentication of devices connecting to a LAN or WLAN

§  Encapsulates Extensible Authentication Protocol (EAP) over IEEE 802 (EAPOL)

Identity Management for End Users

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

802.1X Elements

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

802.1X Elements

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

The Role of Cisco ISE

25

Authentication Server

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

The Role of Cisco Switches

26

Network Access Device

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

The Role of Wireless LAN Controllers

27

§  Also act as a NAD §  Talks to clients using 802.1X §  Talks to Cisco ISE using RADIUS §  Applies policy as directed by Cisco ISE

Simple Configuration of 802.1x with Cisco ISE

28

Demo (As Time Permits)

Identity Management for Administrative Access

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

TACACS+

30

§ More commonly used for administrative authentications §  Enables Command Authorization Capability § Works with CSACS § Currently not supported in Cisco ISE 1.2

TCP / 49

Separate Authentication, Authorization, and Accounting processes

Encrypts the entire packet

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

Cisco Secure ACS

31

Add Network Devices

Create Identity Group

Define User & Associate To Group

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

The Role of Cisco IOS Routers & SwitchesUsing Command Authorization

32

© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public

Thank You for Joining Us Today

33

Download a copy of todays slides using the link in the chat.

Today’s webcast will be available on-demand within 48hrs.

Please complete the survey after closing the WebEx event.