cisco acs eduroam

5/27/2018 Cisco ACS Eduroam

1/29

Cisco Secure ACS

By Igor Koudashev, Systems Engineer, Cisco Systems Australia

[email protected]

2006 Cisco Systems, Inc. All rights reserved. 1


2/29

Cisco Secure Access Control Systemo cy on ro an n egra on o n or e wor ccess

Enterprise network access control platform

Remote Access (VPN)

Wireless & Wired Access (LEAP, PEAP, EAP-FAST,

802.1x, etc)Administrative access control s stem for Cisco network devices TACACS+

Auditing, compliance and accounting features

Control point for access policy & application access integration

Cisco Access Control System for management, Policy DecisionPoint (PDP) evaluation, reporting, and troubleshooting of accesscontrol policy

2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 2


3/29

Consistent Policy Control and

Ke Scenarios

Device Administration

Remote Access

CiscoWorks

Wireless and 802.1x

Network Admission Control (NAC)

AD / LDAPACS

Compliance features

Posture / Audi t

Authentication policy (OTP, complex password)

Authorization enforcement (network access, device commandauthorization


Audit logging


4/29

Home OfficeWhere?Who? Why?

Provider

ISP AAADial Access

Cisco VPN Client

Campus User

Guest UserLaptopDevice

RemoteUsers

VPN

Cisco or CCX

WLAN Client

User Repository(LDAP, AD,OTP, ODBC)

ome o e

people some

of the time

oncen ra or

Aironet APWeb Auth

RADIUS

people all

of the time

Al l machines

Catalyst Switch

IOS Router

Cisco Trust AgentPosture Client

External Policy andAudit Servers(HCAP, GAME)

sco ecureACS

.

Al l devices


CTS DevicePosture Client

NIC Control ler(TRDP)

ser, ac ne,

Posture


5/29

Our customers use ACS for:

1.Authentication and authorization (privileges) of remote users(traditional RADIUS)

. ecur y o w re an w re ess ne wor s

3.Administrators' access management to network devices

and applications (TACACS+)

4.Security audit reports or account billing information

Ships in two form factors: Software andAppliance

ACS has been successful because it combines accesssecurity, authentication, user and administrator access,and olic control in a centralized identit framework



6/29

RADIUS RemoteAuthenticationDialInUserService

TACACS+ -TerminalAccess ControllerAccess

TACACS+ is supported by the Cisco family of routers and access

servers. This protocol is a completely new version of thepro oco re erence y .



7/29

A protocol used to communicate between a network device and an.

Allows the communication of login and authentication information. i.e..Username/Password, OTP, etc.

Allows the communication of arbitrary value pairs using VendorSpecific Attributes (VSAs).

Can also act as a transport for EAP messages.

RFC 2058

RADIUS HeaderUDP Header EAP Payload



8/29

Variety of

Authent ication TACACS+Local or

Variety of External

AAA Client(Network Access Server)

AAA Client/Server-AAA Client defers authorization to centralized AAA server-- Uses standards-based protocols for AAA services



9/29

The process of authentication is used to verifya claimed identity

An identity is only useful as a pointer to an applicable

Without authorization or associated policies,

An authentication system is only as strong asthe method of verification used



10/29

ACS

Device Access

LAN

Wireless

Request for Service(Connectivity)

Backend AuthenticationSupport

Identity StoreIntegration

802.1x RADIUS

Protocols and Mechanism

- IEEE 802.1x framework


Use of RADIUS


11/29

RADIUS acts as the transport for EAP, from theau en ca or sw c o e au en ca on server

(RADIUS server)

RFC for how RADIUS should su ort EAP betweenauthenticator and authentication serverRFC 3579

RADIUS Header EAP PayloadUDP HeaderIP Header

RADIUS is also used to carry policy instructions back tothe authenticator in the form of AV pairs

RADIUS Header EAP PayloadUDP HeaderUDP HeaderIP Header AV Pairs


.RADIUSRFC 3580


12/29

EAP The Extensible Authentication Protocol

A flexible protocol used to carry arbitrary authenticationinformation not the authentication method itself.

between systems and increasing

need for more elaborate and secure authenticationme o s

Typically rides directly over data-link layers such as802.1x or PPP media.

Originally specified in RFC 2284, obsolete byRFC 3748



13/29

Transports authentication information in the form of Extensible

Authentication Protocol (EAP) payloads

A switch or access point becomes a conduit for relaying EAP received in802.1x packets to an authentication server by using RADIUS to carry EAPinformation

s a s es an manages connec on; a ows au en ca on yencapsulating various types of authentication exchanges; EAP messagescan be encapsulated in the packets of other protocols, such as 802.1x or

RADIUS

Three forms of EAP are specified in the standard

EAP-MD5MD5 hashed username/password

EAP-OTPone-time passwords

- o en-car mp emen a ons requ r ng user npu


. x ea er ay oaerne ea er


14/29

Current Prevalent Authenticatione o s

Challenge-response-basedEAP-MD5: Uses MD5 based challenge-response for authentication

LEAP: Uses username/password authenticationEAP-MSCHAPv2: Uses username/password MSCHAPv2challenge-response authentication

Cryptographic-basedEAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism

for authentication unne ng me o s

PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP typesin an encrypted tunnelmuch like web based SSL

EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel

EAP-FAST: Recent tunneling method designed to not require certificates at allfor deployment

OtherEAP-GTC: Generic token and OTP authentication



15/29

.802.1x is a client-server-based access control and authentication

ACS - AAA

to a LAN through publicly accessible ports

2

34

1

1 User activates link (ie: turns on the PC)

2 Switch requests authentication server if user is authorized to access LAN


4

Switch opens controlled port (if authorized) for user to access LAN


16/29

Features andFunctions



17/29

ACS im lements identit

management andAAAservices

CD-ROM version for anyWindows 2003 server

on hardened Win2003 OS

+ ,users, thousands ofRADIUS/TACACS+ devices)


-


18/29

Security-hardened underlying OS.

Port-based packet filtering, allowing connections only to the portsnecessary for Cisco Secure ACS operation.

Serial console interface for initial configuration, subsequentmanagemen o connec ons, e n er ace, an app ca on oupgrades and remote reboots. The serial console interface supportsboth serial line and Telnet connections.

-systems.

Backup/restore of the Cisco Secure ACS data via FTP.

.

Network Timing Protocol (NTP) support for maintaining network timeconsistency with other appliances or network devices.



19/29

ACS The Policy Based Network

ACS Versions in the field:

ACS 4.0 SW (FCS 2004) ->main feature NAC Phase 2 (

external audit, service basedpolicy))

ACS 4.1 SW (FCS 2006) ->ma n ea ure ex en e ogg ngsupport, new ACSadministrator management,PEAP/EAP-TLS support,

Support

ACS 4.2 SW (FCS 2008)



20/29

The administrator entirely controls the ACS behavior by configuring

How to process an access request:do (not) authenticate / using which auth protocols /

Credential validation policies (i.e. which DB to use for auth)

Classification: map identity to user-group, map posture credentials to-

Authorization policies: map from user-group & posture-token to radius

profile

Different policies can be applied to different network access.Example: wireless access vs. remote (VPN) access policy



21/29

Automatic service monitoring, database synchronization, and

im ortin tools for lar e-scale de lo ments

LDAP, ODBC and OTP (RSA, others) user authentication Flexible 802.1X authentication support, including EAP-TLS,

- - , , ,

Downloadable ACLs for any Layer 3 device, including routers,PIX firewalls, and VPNs (per user, per group)

and filters

Device command set authorization

Dynamic quota generation

User and device group profiles



22/29

Scenarios

Cisco Secure ACS



23/29

Network Access ScenarioCentralized Access Control Server

Network Access ScenarioCentralized Access Control Server

CentralizedAccess

Control Server

Provider

ISP AAA

Remote Access - VPN

ACS View

VPNConcentrator

Wireless

802.1x EAP-TLS

Wireless User

Aironet APRADIUS

User Repository(LDAP, AD,

OTP, ODBC)

Cisco Secure

Enterprise

Catalyst Switch

IOS RouterExternal Policy and

Audit Servers

ACS

LAN

802.1x EAP-FAST

(HCAP, GAME)


24/29

Routers,Switches,

APs

NetworkAdministrators Backbone

FULL ACCESS

West-APs

PARTIAL

READ ONLY

ACS

SecurityPerimeter

Syslog,ACS or RA

loggingserver

UnixSERVER ACCESS

T+ orRADIUS

replication

DSMS

PBXSERVER ACCESS


Terminal Server

System Access

Secure auth

mechanisms


25/29

GUI Interface/Screen Shots



26/29

Remote Administrator authentication page ( http://server-name/IP:2002 )Administrator must be configured prior to remote login.If accessed on the local system (for example, using 127.0.0.1 as the IP address) thispage is not displayed and the administrator gains access.



27/29



28/29



29/29


cisco acs eduroam

Documents

cisco systems

cisco family of routers

administrator access

olic control

systems engineer

accesscontrol policy

authentication information

device commandauthorization