cisco acs eduroam

Cisco Secure ACS OverviewOverview

By Igor Koudashev, Systems Engineer, Cisco Systems [email protected]

© 2006 Cisco Systems, Inc. All rights reserved. 1

Cisco Secure Access Control SystemP li C t l d I t ti P i t f N t k APolicy Control and Integration Point for Network Access

Enterprise network access control platformRemote Access (VPN)Wireless & Wired Access (LEAP, PEAP, EAP-FAST,

802.1x, etc)Administrative access control system for Cisco network devices (TACACS+)Administrative access control system for Cisco network devices (TACACS )

Auditing, compliance and accounting featuresControl point for access policy & application access integrationCisco Access Control System for management, Policy Decision Point (PDP) evaluation, reporting, and troubleshooting of access control policy

© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 2

Consistent Policy Control and Compliance

Key Scenarios

Compliance

yDevice Administration

Remote AccessCiscoWorks

Wireless and 802.1x

Network Admission Control (NAC)AD / LDAPACS

Compliance features Posture / Audit

Authentication policy (OTP, complex password…)

Authorization enforcement (network access, device command authorization…)


)

Audit logging

ACS – Network Access Control PointACS Network Access Control Point

Home OfficeRoad Warrior

Where?Who? Why?Provider

ISP AAADial Access

Cisco VPN Client

Road WarriorCampus UserGuest User

LaptopDevice

RemoteUsers

S f th

VPNConcentrator

Cisco or CCXWLAN Client

User Repository(LDAP, AD, OTP, ODBC)

Some of thepeople someof the time

All of the Concentrator

Aironet APWeb Auth

RADIUS

Ci S802 1x Supplicant

All of thepeople allof the time

All machines

Enterprise

Catalyst Switch

IOS RouterCTS D i

Cisco Trust AgentPosture Client

External Policy andAudit Servers(HCAP, GAME)

Cisco SecureACS

802.1x Supplicant

All devices

U M hi


EnterpriseCTS DevicePosture Client

NIC Controller(TRDP)

User, Machine,Posture

How is ACS usedHow is ACS used

Our customers use ACS for:1.Authentication and authorization (privileges) of remote users (traditional RADIUS)

2 S it f i d d i l t k (EAP)2.Security of wired and wireless networks (EAP)

3.Administrators' access management to network devices and applications (TACACS+)

4.Security audit reports or account billing information

Ships in two form factors: Software and ApplianceACS has been successful because it combines access security, authentication, user and administrator access, and policy control in a centralized identity framework


and policy control in a centralized identity framework

AAA – Related ProtocolsAAA Related Protocols

RADIUS – Remote Authentication Dial In UserService

TACACS+ - Terminal Access Controller Access Control SystemControl SystemTACACS+ is supported by the Cisco family of routers and access servers. This protocol is a completely new version of the TACACS t l f d b RFC 1492TACACS protocol referenced by RFC 1492.


What is RADIUS ?What is RADIUS ?

A protocol used to communicate between a network device and an authentication server or databaseauthentication server or database.

Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc.

Allows the communication of arbitrary value pairs using “Vendor Specific Attributes” (VSAs).

Can also act as a transport for EAP messages.g

RFC 2058

RADIUS HeaderUDP Header EAP Payload


How Cisco Secure ACS OperatesHow Cisco Secure ACS OperatesVariety of

AuthenticationMethods

TACACS+RADIUS

Local orVariety of External

Databases

AAA Client Cisco Secure ACS

Methods RADIUS Databases

(Network Access Server) Cisco Secure ACS

• AAA Client/Server-AAA Client defers authorization to centralized AAA server- Highly scalable- Highly scalable- Uses standards-based protocols for AAA services


Some important points of AuthenticationSome important points of Authentication

The process of authentication is used to verify a claimed identity

An identity is only useful as a pointer to an applicable policy and for accountingpolicy and for accounting

Without authorization or associated policies, authentication alone is pretty meaninglessauthentication alone is pretty meaningless

An authentication system is only as strong as the method of verification used


Network Access Control ModelNetwork Access Control ModelACSDevice Access

LAN

Wireless

Request for Service(Connectivity)

Backend AuthenticationSupport

Identity Store Integration

802.1x RADIUS

Protocols and Mechanism

Extensible Authentication Protocol (EAP RFC 3748)Extensible Authentication Protocol (EAP-RFC 3748)

IEEE 802.1x framework

f S


Use of RADIUS

How RADIUS is used here ?How RADIUS is used here ?

RADIUS acts as the transport for EAP, from the th ti t ( it h) t th th ti tiauthenticator (switch) to the authentication server

(RADIUS server)RFC for how RADIUS should support EAP between ppauthenticator and authentication server—RFC 3579

RADIUS Header EAP PayloadUDP HeaderIP Header

RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs

Usage guideline for 802 1x authenticators use of

RADIUS Header EAP PayloadUDP HeaderUDP HeaderIP Header AV Pairs


Usage guideline for 802.1x authenticators use of RADIUS—RFC 3580

What’s EAP ?What s EAP ?

EAP – The Extensible Authentication ProtocolA flexible protocol used to carry arbitrary authentication information – not the authentication method itself.Rose out of need to reduce complexity of relationshipsRose out of need to reduce complexity of relationships between systems and increasing need for more elaborate and secure authentication methodsmethodsTypically rides directly over data-link layers such as 802.1x or PPP media.Originally specified in RFC 2284, obsolete by RFC 3748


What does it do ?What does it do ?Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloadsA switch or access point becomes a conduit for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry EAP informationEstablishes and manages connection allo s a thentication bEstablishes and manages connection; allows authentication by encapsulating various types of authentication exchanges; EAP messages can be encapsulated in the packets of other protocols, such as 802.1x or RADIUSThree forms of EAP are specified in the standard

EAP-MD5—MD5 hashed username/passwordEAP-OTP—one-time passwordsEAP GTC t k d i l t ti i i i tEAP-GTC—token-card implementations requiring user input

802 1 H d EAP P l dEth t H d


802.1x Header EAP PayloadEthernet Header

Current Prevalent Authentication M th dMethods

Challenge-response-basedEAP-MD5: Uses MD5 based challenge-response for authenticationLEAP: Uses username/password authenticationEAP-MSCHAPv2: Uses username/password MSCHAPv2 challenge-response authentication

Cryptographic-basedEAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication

T nneling methodsTunneling methodsPEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel—much like web based SSLEAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnelEAP-FAST: Recent tunneling method designed to not require certificates at all for deployment

OtherEAP-GTC: Generic token and OTP authentication


EAP GTC: Generic token and OTP authentication

IEEE 802.1xIEEE 802.1x802.1x is a client-server-based access control and authentication

protocol that restricts unauthorized devices from connecting

ACS - AAAServer

protocol that restricts unauthorized devices from connectingto a LAN through publicly accessible ports

Server

234

1

1 User activates link (ie: turns on the PC)

2 Switch requests authentication server if user is authorized to access LAN3 Authentication server responds with authority access


34

Authentication server responds with authority access

Switch opens controlled port (if authorized) for user to access LAN

Features and Functions


Hardware/Software PlatformHardware/Software Platform

ACS implements identity CS p e e s de ymanagement and AAA services

CD-ROM version for any Windows 2003 server

Appliance version deliveredAppliance version delivered on hardened Win2003 OS

Highly scalable (100 000+Highly scalable (100,000+ users, thousands of RADIUS/TACACS+ devices) and feature rich


and feature-rich

Features Unique to the ACS ApplianceFeatures Unique to the ACS Appliance

Security-hardened underlying OS.Port-based packet filtering, allowing connections only to the ports necessary for Cisco Secure ACS operation.Serial console interface for initial configuration, subsequent

t f IP ti W b i t f d li ti fmanagement of IP connections, Web interface, and application of upgrades and remote reboots. The serial console interface supports both serial line and Telnet connections.SNMP read-only support to monitor the appliance from externalSNMP read only support to monitor the appliance from external systems.Backup/restore of the Cisco Secure ACS data via FTP.Recovery proceduresRecovery procedures.Network Timing Protocol (NTP) support for maintaining network time consistency with other appliances or network devices.


ACS – The Policy Based Network ControllerController

ACS Versions in the field:

ACS 4.0 SW (FCS 2004) -> main feature NAC Phase 2 ( L2 Posture Validation andL2 Posture Validation and external audit, service based policy))ACS 4.1 SW (FCS 2006) ->

i f t t d d l imain feature extended logging support, new ACS administrator management, PEAP/EAP-TLS support, Japanese Microsoft WindowsJapanese Microsoft Windows Support ACS 4.2 SW (FCS 2008)


Service Based PolicyService Based PolicyThe administrator entirely controls the ACS behavior by configuring aggregated Service Based Policies:aggregated Service Based Policies:

–How to process an access request: do (not) authenticate / using which auth protocols / do (not) validate posture / which posture protocols…do (not) validate posture / which posture protocols…

–Credential validation policies (i.e. which DB to use for auth)…

–Classification: map identity to user-group, map posture credentials to posture tokenposture-token…

–Authorization policies: map from user-group & posture-token to radius profile…

Different policies can be applied to different network access.Example: wireless access vs. remote (VPN) access policy


ACS FeaturesACS Features

Automatic service monitoring, database synchronization, and importing tools for large-scale deploymentsimporting tools for large scale deployments LDAP, ODBC and OTP (RSA, others) user authenticationFlexible 802.1X authentication support, including EAP-TLS, Protected EAP (PEAP), Cisco LEAP, EAP-FAST, and EAP-MD5Protected EAP (PEAP), Cisco LEAP, EAP FAST, and EAP MD5Downloadable ACLs for any Layer 3 device, including routers, PIX® firewalls, and VPNs (per user, per group)Network & machine access restrictionsNetwork & machine access restrictions and filters Device command set authorization Detailed audit and accounting reportsDetailed audit and accounting reports Dynamic quota generation User and device group profiles


DeploymentDeployment Scenarios

Cisco Secure ACS


Network Access ScenarioCentralized Access Control Server

Network Access ScenarioCentralized Access Control Server

Remote User

Centralized Access

Control Server

Provider

ISP AAA

Remote Access - VPN

Remote User

ACS View

VPNConcentrator

Wireless802.1x – EAP-TLS

Wireless User

Aironet APRADIUS User Repository

(LDAP, AD,OTP, ODBC)

Cisco SecureWired user

Enterprise

Catalyst Switch

IOS RouterExternal Policy and

Audit Servers

ACS

LAN802.1x – EAP-FAST

Wired user

(HCAP, GAME)

Device Administration ScenarioDevice Administration ScenarioRouters, Switches, APs

Network Administrators Backbone

FULL ACCESSWest-APs

EastPARTIAL

READ ONLY

ACS

Security Perimeter

East

Syslog, ACS or RA logging server

UnixSERVER ACCESS

T+ or RADIUS

replication

DSMS

PBXSERVER ACCESS


Terminal Server System Access

Secure auth mechanisms

GUI Interface/Screen Shots


Cisco Secure ACS – Accessing GUICisco Secure ACS Accessing GUI

Remote Administrator authentication page ( http://server-name/IP:2002 )Administrator must be configured prior to remote login.If accessed on the local system (for example, using 127.0.0.1 as the IP address) this page is not displayed and the administrator gains access.


Cisco Secure ACS Home PageCisco Secure ACS Home Page


NAP – Network Access ProfileNAP Network Access Profile


cisco acs eduroam

Documents