joining audio broadcast - typepad · presentation_id © 2013 cisco and/or its affiliates. all...
TRANSCRIPT
© 2013 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Joining Audio Broadcast
2
1. Audio Broadcast window should automatically pop up; Audio will be streamed through your computer speakers
2. If Audio Broadcast window does not appear, go to Communicate menu and select Audio Broadcast
3. You will hear hold music until the event begins
4. If you are unable to hear via your PC speakers, click the Phone button to request dial-in instructions
© 2013 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Submit Questions
3
1. Click on the Q&A arrow to expand the Q&A panel
2. Type your question Technical Assistance – send to Host Content Questions – send to All Panelists
3. Click the Send button
© 2013 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Thank You for Joining Us Today
5
Download a copy of todays slides using the link in the chat.
Today’s webcast will be available on-demand within 48hrs.
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
Your Presenter
6
Brandon Carroll
The ABC’s Of Identity Management Session ID CP-1002
Brandon Carroll, CCIE #23837
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
AAA Identity Management Security
8
Introduction
Overview of Identity Management
TACACS+ RADIUS
802.1X
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
AAA
12
AAA is a Framework
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
Authentication
§ Who are you?
§ Can be based on: – Something you have – Something you know – Something you are
§ Without identifying who you are, how can I determine what your privileges should be?
§ Providing Authentication Information = Keys to the lock
13
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
Authorization
14
§ What can you do? – Can you access privilege exec on a router? – Can you surf the Internet? – Can you access VLAN100? – Do you need to be postured?
§ The bigger chunk of what we do. – Most of the policy is here.
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
Accounting
§ A Paper Trail – Good to know what went on. – We can then go back and analyze
15
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
A Question Arises…
16
Where’s all this information stored?
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
Local vs. Remote
17
Local is limited…
However,
Offloading the control gives us much more capability
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
Two External Protocols and Two External Servers
§ TACACS+ § RADIUS
§ Cisco Secure Access Control Server
§ Cisco Identity Services Engine
18
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
TACACS+
19
§ Terminal Access Controller Access-Control System Plus § Separate Authentication, Authorization & Accounting services § TCP port 49 § Encrypts the body of the packet for secure communications
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
RADIUS
20
§ Remote Authentication Dial In User Service § Developed by Livingston Enterprises, Inc. in 1991 § Uses UDP
– Port 1645 (legacy) and 1812 for Authentication and Authorization – Port 1646 (legacy) and 1813 for Accounting
§ Three responses from a RADIUS Server to a Network Access Device (NAD) – Access Reject – Access Challenge – Access Accept.
§ Authorization values also sent to NAD (dACL, VLAN, SGT, etc…) – Attribute Value Pairs (AVP) carry data in both the request and the response for the
authentication, authorization, and accounting transactions. – Vendors can create their own Vendor-specific attributes
§ Uses a Shared-secret to obfuscate the passwords it passes. § Used for 802.1X authentication
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
802.1X
21
§ IEEE standard for Port-based Access Control
§ Mechanism for authentication of devices connecting to a LAN or WLAN
§ Encapsulates Extensible Authentication Protocol (EAP) over IEEE 802 (EAPOL)
Identity Management for End Users
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
802.1X Elements
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
802.1X Elements
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
The Role of Cisco ISE
25
Authentication Server
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
The Role of Cisco Switches
26
Network Access Device
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
The Role of Wireless LAN Controllers
27
§ Also act as a NAD § Talks to clients using 802.1X § Talks to Cisco ISE using RADIUS § Applies policy as directed by Cisco ISE
Simple Configuration of 802.1x with Cisco ISE
28
Demo (As Time Permits)
Identity Management for Administrative Access
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
TACACS+
30
§ More commonly used for administrative authentications § Enables Command Authorization Capability § Works with CSACS § Currently not supported in Cisco ISE 1.2
TCP / 49
Separate Authentication, Authorization, and Accounting processes
Encrypts the entire packet
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
Cisco Secure ACS
31
Add Network Devices
Create Identity Group
Define User & Associate To Group
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
The Role of Cisco IOS Routers & SwitchesUsing Command Authorization
32
© 2014 Cisco and/or its affiliates. All rights reserved. Session ID CP-1002 Cisco Public
Thank You for Joining Us Today
33
Download a copy of todays slides using the link in the chat.
Today’s webcast will be available on-demand within 48hrs.
Please complete the survey after closing the WebEx event.