The Art of Applying Identity to Network Access Control

Copyright Steve Whitson, 2008.

This work is the intellectual property of the author.

Permission is granted for this material to be shared for non

commercial, educational purposes, provided

that this copyright statement appears on the reproduced

materials and notice is given that the copying is by

permission of the author. To disseminate otherwise or to

republish requires written permission from the author.

The Art of Applying Identity to Network

Access Control

Steve WhitsonNetworking and Telecom

Administrator

California College of the Arts

About CCA

Founded in 1907 Largest regional accredited, independent school of

art, design and crafts in the western US. Two campuses: San Francisco and Oakland 1,600 undergraduate students More than 500 faculty and staff

The Environment Directories, networks, apps, users Legacy email server on an LDAP server (the only place

everyone had an account) Students/faculty originally in legacy LDAP system for email accounts Bought Sun One to migrate all users to a central directory

Staff on an AD domain Expect to continue to maintain the AD for staff use only

Lots of MACs and PCs Staff use MAC and Windows XP Want to move them towards wireless .1X

Cisco Airespace wireless Concerned about DHCP leases running out, users on wireless without encryption Some users could be faculty/staff so policy/audit exposure issue for access to confidential records

The Challenge: Securing an Evolving Wireless Network Limited IT Resources

Small IT Staff - need automation, scaling, geo coverage Need to support more than 2000 daily network users Migratory population of 5 to 1000 people a day depending on time of year and events

Lack of Security Wireless is open, campus is a hot spot Need to lock down wireless with authentication and encryption Can’t authenticate users from multiple directories No easier way to manage campus visitors

Transparency Transition from LDAP-based directory to a single Sun One directory server with no

adverse impact on users Want to move to improved security of wireless .1X later

No robust audit capability

How we went about the solution

Commercial RADIUS servers Cisco Systems, Funk Software, IEA Software, Interlink

Networks and Lucent Technologies Market share: Cisco ACS 24% Microsoft IAS at 23%

Cistron at 12% Funk 11% OpenRADIUS at 10% Radiator at 10% Other products

Free RADIUS Software implementation on hardware Cygwin, Debian, DragonFlyBSD (via NetBSD pkgsrc),

Fedora, FreeBSD, Mac OSX (Leopard Server), Mandriva, NetBSD, OpenBSD, Solaris, Suse, Windows, Ubuntu

Why Identity Engines Ignition®

Support multiple existing directories and migration to a new SunOne directory

Support 802.1X: MSCHAP, TTLS. Terminate MSCHAP on SunOne

Easily integrate with existing wireless network Solution is quick to deploy, no disruption to end

users Allow us to evolve at our own pace and in our

own way Quality support

The Results Authenticate wireless users, hot spot eliminated Accreditation and CALEA compliance SunOne deployment and user auth migration Guest management successful Encryption for privileged users Authenticating VPN users on both our Cisco 5520

ASA firewalls Oakland and San Francisco Accounting knowing who is on our network

Where we go from here Deploy 802.1X port-based authentication

Authenticate wired and wireless access with centralized policy authoring and audit

Segmented virtual networks based on roles Student, faculty, staff

Migrate to a centralized identity infrastructure based on the Sun ONE directory server

Enable discount policy at campus bookstore to a broader community…

VPN integration For Students, Facility and Staff

Recommendation

Of products offered Simple is better After careful consideration we came to the

conclusion that the Identity Engines’ product offered us the best vehicle for simplicity, performance and security

Product support

Chris RadkowskiDirector, Business Development

Identity-centric Access Control for Education Networks

12 © 2008 Identity Engines, Inc. Proprietary and Confidential. http://www.idengines.com

Select Education Customers

13 © 2008 Identity Engines, Inc. Proprietary and Confidential. http://www.idengines.com

What they say“Our environment is very diverse, with many operating systems, NIC cards, etc, and one of our biggest concerns with our 802.1X deployment was the volume of trouble calls that we might experience related to end-point configurations.  AutoConnect has worked flawlessly so far – since the rollout we have had zero trouble calls relating to supplicant configuration.”

Mark Redican, Network Operations Center Manager, IET – Communications ResourcesUniversity of California, Davis

“The Guest Manager tool from Identity Engines allows us to provision temporary guest accounts without having to touch the directory. The benefits of this new infrastructure include easing time spent on account management of guests and it has also lessened the work load on the help desk.”

Aaron Smith,

Network Engineer Supervisor

BYU - Idaho

Pat Cronin of Bridgewater State College believes the NAC solution is a good investment because the Identity Engines piece provides the campus the protection it needs and wants.

“We’ve never had the wireless or administrative network go down due to viruses, because we have the appropriate protection.”

Pat CroninAssociate Vice President, Technology, Systems and NetworkingBridgewater State CollegeSource: University Business, March 2008

14 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com

Comprehensive Access Control forCampus Networks

15 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com

University Campus Deployment

16 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com

Education Drivers

• Security against lost or stolen laptops re-entering the network

• Compliance with CALEA, FERPA, PCI, and DMCA• Differentiated access between students, faculty, and

administration• Asset-to-identity correlation• Granular classroom control for wireless access

driven off of course registration and calendaring• Sophisticated guest management• Automated client configuration• NAC – policy based end-point network access

17 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com

Higher Education Guest Access

AAA

Visiting Sports Team

Visiting Parent

Community Member (fee-based)

Campus Wireless Network

Research Network

Internet

• Multiple constituencies can be allowed on the network based on their rights• Generates revenue from campus-wide wireless network• Allows for secure (802.1X / VPN) connections or simple web authentication• Sporting and other types of events can be setup in advance with credentials sent

to participants

Guest Admin(s) Guest ManagerUser Directory

(Faculty / Students only)

Library Network

Sports Facilities

Visiting Professor

18 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com

Ignition Guest Manager™

19 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com

AAA

Guest

Contractor

Finance Employee

Internal Network

Finance Network

Internet

Web Auth

802.1X Auth

802.1X Auth

Guest Admin(s) Guest Manager User Directory (Employees only)

RBAC example: Secure wireless

• Authenticate all WLAN Access enabling user audit, differentiated access.• Dynamic VLAN assignment segments traffic with enforcement via ACLs.• Guests can be forced to the Internet only, contractors can be given restricted internal access,

privileged employees can see sensitive areas.• Guest access is fully audited rather than open.

20 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com

Ignition® Product Ecosystem

Ignition Server™Identity and policy-based

authentication and authorization server

(RADIUS, TACACS+)

Ignition Posture Module™Posture integrationwith XSupplicant

Ignition Portal™Captive portal for guests

and legacy platforms

Auto-configurationof clients for 802.1X

Ignition AutoConnect™

Ignition Reports™Integrated reporting

solution

Ignition Guest Manager™Extensible and

customizable visitor solution

21 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com

Conclusion

• Identity-based access control is a key component of comprehensive network access strategy

• Guest Management should be considered for both wired and wireless network access

• A standards-based approach is necessary to integrate with disparate network and directory systems and enforce business policies

• Your existing infrastructure can be reused• 802.1X supports a phased rollout—consider external vs. internal

access as a good starting point

22 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com

Thank you

For more information

• Visit Identity Engines’ Poster SessionApril 1, 2008

1:30 p.m. - 2:30 p.m.

Peacock Court, Lobby Level

• Request a free trial of AutoConnect• Call: 877 433-8660• Visit: www.idengines.com/trial

• Visit us at: www.idengines.com