Download - Cisco ACS Eduroam
-
5/27/2018 Cisco ACS Eduroam
1/29
Cisco Secure ACS
By Igor Koudashev, Systems Engineer, Cisco Systems Australia
2006 Cisco Systems, Inc. All rights reserved. 1
-
5/27/2018 Cisco ACS Eduroam
2/29
Cisco Secure Access Control Systemo cy on ro an n egra on o n or e wor ccess
Enterprise network access control platform
Remote Access (VPN)
Wireless & Wired Access (LEAP, PEAP, EAP-FAST,
802.1x, etc)Administrative access control s stem for Cisco network devices TACACS+
Auditing, compliance and accounting features
Control point for access policy & application access integration
Cisco Access Control System for management, Policy DecisionPoint (PDP) evaluation, reporting, and troubleshooting of accesscontrol policy
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 2
-
5/27/2018 Cisco ACS Eduroam
3/29
Consistent Policy Control and
Ke Scenarios
Device Administration
Remote Access
CiscoWorks
Wireless and 802.1x
Network Admission Control (NAC)
AD / LDAPACS
Compliance features
Posture / Audi t
Authentication policy (OTP, complex password)
Authorization enforcement (network access, device commandauthorization
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 3
Audit logging
-
5/27/2018 Cisco ACS Eduroam
4/29
Home OfficeWhere?Who? Why?
Provider
ISP AAADial Access
Cisco VPN Client
Campus User
Guest UserLaptopDevice
RemoteUsers
VPN
Cisco or CCX
WLAN Client
User Repository(LDAP, AD,OTP, ODBC)
ome o e
people some
of the time
oncen ra or
Aironet APWeb Auth
RADIUS
people all
of the time
Al l machines
Catalyst Switch
IOS Router
Cisco Trust AgentPosture Client
External Policy andAudit Servers(HCAP, GAME)
sco ecureACS
.
Al l devices
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 4
CTS DevicePosture Client
NIC Control ler(TRDP)
ser, ac ne,
Posture
-
5/27/2018 Cisco ACS Eduroam
5/29
Our customers use ACS for:
1.Authentication and authorization (privileges) of remote users(traditional RADIUS)
. ecur y o w re an w re ess ne wor s
3.Administrators' access management to network devices
and applications (TACACS+)
4.Security audit reports or account billing information
Ships in two form factors: Software andAppliance
ACS has been successful because it combines accesssecurity, authentication, user and administrator access,and olic control in a centralized identit framework
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 5
-
5/27/2018 Cisco ACS Eduroam
6/29
RADIUS RemoteAuthenticationDialInUserService
TACACS+ -TerminalAccess ControllerAccess
TACACS+ is supported by the Cisco family of routers and access
servers. This protocol is a completely new version of thepro oco re erence y .
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 6
-
5/27/2018 Cisco ACS Eduroam
7/29
A protocol used to communicate between a network device and an.
Allows the communication of login and authentication information. i.e..Username/Password, OTP, etc.
Allows the communication of arbitrary value pairs using VendorSpecific Attributes (VSAs).
Can also act as a transport for EAP messages.
RFC 2058
RADIUS HeaderUDP Header EAP Payload
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 7
-
5/27/2018 Cisco ACS Eduroam
8/29
Variety of
Authent ication TACACS+Local or
Variety of External
AAA Client(Network Access Server)
AAA Client/Server-AAA Client defers authorization to centralized AAA server-- Uses standards-based protocols for AAA services
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 8
-
5/27/2018 Cisco ACS Eduroam
9/29
The process of authentication is used to verifya claimed identity
An identity is only useful as a pointer to an applicable
Without authorization or associated policies,
An authentication system is only as strong asthe method of verification used
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 9
-
5/27/2018 Cisco ACS Eduroam
10/29
ACS
Device Access
LAN
Wireless
Request for Service(Connectivity)
Backend AuthenticationSupport
Identity StoreIntegration
802.1x RADIUS
Protocols and Mechanism
- IEEE 802.1x framework
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 10
Use of RADIUS
-
5/27/2018 Cisco ACS Eduroam
11/29
RADIUS acts as the transport for EAP, from theau en ca or sw c o e au en ca on server
(RADIUS server)
RFC for how RADIUS should su ort EAP betweenauthenticator and authentication serverRFC 3579
RADIUS Header EAP PayloadUDP HeaderIP Header
RADIUS is also used to carry policy instructions back tothe authenticator in the form of AV pairs
RADIUS Header EAP PayloadUDP HeaderUDP HeaderIP Header AV Pairs
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 11
.RADIUSRFC 3580
-
5/27/2018 Cisco ACS Eduroam
12/29
EAP The Extensible Authentication Protocol
A flexible protocol used to carry arbitrary authenticationinformation not the authentication method itself.
between systems and increasing
need for more elaborate and secure authenticationme o s
Typically rides directly over data-link layers such as802.1x or PPP media.
Originally specified in RFC 2284, obsolete byRFC 3748
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 12
-
5/27/2018 Cisco ACS Eduroam
13/29
Transports authentication information in the form of Extensible
Authentication Protocol (EAP) payloads
A switch or access point becomes a conduit for relaying EAP received in802.1x packets to an authentication server by using RADIUS to carry EAPinformation
s a s es an manages connec on; a ows au en ca on yencapsulating various types of authentication exchanges; EAP messagescan be encapsulated in the packets of other protocols, such as 802.1x or
RADIUS
Three forms of EAP are specified in the standard
EAP-MD5MD5 hashed username/password
EAP-OTPone-time passwords
- o en-car mp emen a ons requ r ng user npu
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 13
. x ea er ay oaerne ea er
-
5/27/2018 Cisco ACS Eduroam
14/29
Current Prevalent Authenticatione o s
Challenge-response-basedEAP-MD5: Uses MD5 based challenge-response for authentication
LEAP: Uses username/password authenticationEAP-MSCHAPv2: Uses username/password MSCHAPv2challenge-response authentication
Cryptographic-basedEAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism
for authentication unne ng me o s
PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP typesin an encrypted tunnelmuch like web based SSL
EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel
EAP-FAST: Recent tunneling method designed to not require certificates at allfor deployment
OtherEAP-GTC: Generic token and OTP authentication
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 14
-
5/27/2018 Cisco ACS Eduroam
15/29
.802.1x is a client-server-based access control and authentication
ACS - AAA
to a LAN through publicly accessible ports
2
34
1
1 User activates link (ie: turns on the PC)
2 Switch requests authentication server if user is authorized to access LAN
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 15
4
Switch opens controlled port (if authorized) for user to access LAN
-
5/27/2018 Cisco ACS Eduroam
16/29
Features andFunctions
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 16
-
5/27/2018 Cisco ACS Eduroam
17/29
ACS im lements identit
management andAAAservices
CD-ROM version for anyWindows 2003 server
on hardened Win2003 OS
+ ,users, thousands ofRADIUS/TACACS+ devices)
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 17
-
-
5/27/2018 Cisco ACS Eduroam
18/29
Security-hardened underlying OS.
Port-based packet filtering, allowing connections only to the portsnecessary for Cisco Secure ACS operation.
Serial console interface for initial configuration, subsequentmanagemen o connec ons, e n er ace, an app ca on oupgrades and remote reboots. The serial console interface supportsboth serial line and Telnet connections.
-systems.
Backup/restore of the Cisco Secure ACS data via FTP.
.
Network Timing Protocol (NTP) support for maintaining network timeconsistency with other appliances or network devices.
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 18
-
5/27/2018 Cisco ACS Eduroam
19/29
ACS The Policy Based Network
ACS Versions in the field:
ACS 4.0 SW (FCS 2004) ->main feature NAC Phase 2 (
external audit, service basedpolicy))
ACS 4.1 SW (FCS 2006) ->ma n ea ure ex en e ogg ngsupport, new ACSadministrator management,PEAP/EAP-TLS support,
Support
ACS 4.2 SW (FCS 2008)
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 19
-
5/27/2018 Cisco ACS Eduroam
20/29
The administrator entirely controls the ACS behavior by configuring
How to process an access request:do (not) authenticate / using which auth protocols /
Credential validation policies (i.e. which DB to use for auth)
Classification: map identity to user-group, map posture credentials to-
Authorization policies: map from user-group & posture-token to radius
profile
Different policies can be applied to different network access.Example: wireless access vs. remote (VPN) access policy
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 20
-
5/27/2018 Cisco ACS Eduroam
21/29
Automatic service monitoring, database synchronization, and
im ortin tools for lar e-scale de lo ments
LDAP, ODBC and OTP (RSA, others) user authentication Flexible 802.1X authentication support, including EAP-TLS,
- - , , ,
Downloadable ACLs for any Layer 3 device, including routers,PIX firewalls, and VPNs (per user, per group)
and filters
Device command set authorization
Dynamic quota generation
User and device group profiles
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 21
-
5/27/2018 Cisco ACS Eduroam
22/29
Scenarios
Cisco Secure ACS
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 22
-
5/27/2018 Cisco ACS Eduroam
23/29
Network Access ScenarioCentralized Access Control Server
Network Access ScenarioCentralized Access Control Server
CentralizedAccess
Control Server
Provider
ISP AAA
Remote Access - VPN
ACS View
VPNConcentrator
Wireless
802.1x EAP-TLS
Wireless User
Aironet APRADIUS
User Repository(LDAP, AD,
OTP, ODBC)
Cisco Secure
Enterprise
Catalyst Switch
IOS RouterExternal Policy and
Audit Servers
ACS
LAN
802.1x EAP-FAST
(HCAP, GAME)
-
5/27/2018 Cisco ACS Eduroam
24/29
Routers,Switches,
APs
NetworkAdministrators Backbone
FULL ACCESS
West-APs
PARTIAL
READ ONLY
ACS
SecurityPerimeter
Syslog,ACS or RA
loggingserver
UnixSERVER ACCESS
T+ orRADIUS
replication
DSMS
PBXSERVER ACCESS
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 24
Terminal Server
System Access
Secure auth
mechanisms
-
5/27/2018 Cisco ACS Eduroam
25/29
GUI Interface/Screen Shots
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 25
-
5/27/2018 Cisco ACS Eduroam
26/29
Remote Administrator authentication page ( http://server-name/IP:2002 )Administrator must be configured prior to remote login.If accessed on the local system (for example, using 127.0.0.1 as the IP address) thispage is not displayed and the administrator gains access.
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 26
-
5/27/2018 Cisco ACS Eduroam
27/29
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 27
-
5/27/2018 Cisco ACS Eduroam
28/29
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 28
-
5/27/2018 Cisco ACS Eduroam
29/29
2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 29