Cisco Secure Access Control System

P li Control
Policy
C t l and
d Integration
I t
ti Point
P i t for
f Network
N t
k Access
A
Enterprise network access control platform
Remote Access (VPN)
Wireless & Wired Access (LEAP, PEAP, EAP-FAST,
802.1x, etc)
Administrative access control system for Cisco network devices (TACACS
(TACACS+))

Auditing, compliance and accounting features

Control point for access policy & application access integration

Cisco Access Control System for management, Policy Decision

Point (PDP) evaluation, reporting, and troubleshooting of access
control policy

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Consistent Policy Control and

Compliance
Keyy Scenarios

Device Administration
Remote Access

Wireless and 802.1x

Network Admission Control (NAC)

Compliance features

CiscoWorks

ACS

AD / LDAP

Posture / Audit

Authentication policy (OTP, complex password)

Authorization enforcement (network access, device command

authorization))
Audit logging
Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

ACS Network Access Control Point

Who?
Remote
Users

Home Office
Road Warrior
Campus User
Guest User Cisco VPN Client
Laptop
Device

Where?

Why?

Provider

Dial Access

ISP AAA

Some off the

S
th
people some
of the time

User Repository
(LDAP, AD,
OTP, ODBC)

Cisco or CCX
WLAN Client
VPN
Concentrator

All of the
people all
of the time
Web Auth

All machines

Aironet AP

802 1x Supplicant
802.1x

Catalyst Switch

All devices

Cisco Trust Agent

Posture Client

RADIUS

Cisco S
Ci
Secure
ACS

External Policy and

Audit Servers
(HCAP, GAME)

IOS Router

User, M
U
Machine,
hi
Posture

Presentation_ID

CTS D
Device
i
Posture Client

2006 Cisco Systems, Inc. All rights reserved.

Enterprise
NIC Controller
(TRDP)

How is ACS used

Our customers use ACS for:
1.Authentication and authorization (privileges) of remote users
(traditional RADIUS)
2S
2.Security
it off wired
i d and
d wireless
i l
networks
t
k (EAP)
3.Administrators' access management to network devices
and applications (TACACS+)
4.Security audit reports or account billing information

Ships in two form factors: Software and Appliance

ACS has been successful because it combines access

security, authentication, user and administrator access,
and policy control in a centralized identity framework

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

AAA Related Protocols

RADIUS Remote Authentication Dial In User
Service

TACACS+ - Terminal Access Controller Access

Control System
TACACS+ is supported by the Cisco family of routers and access
servers. This protocol is a completely new version of the
TACACS protocol
t
l referenced
f
db
by RFC 1492
1492.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

What is RADIUS ?
A protocol used to communicate between a network device and an
authentication server or database
database.

Allows the communication of login and authentication information. i.e..

Username/Password, OTP, etc.

Allows the communication of arbitrary value pairs using Vendor

Specific Attributes (VSAs).
g
Can also act as a transport for EAP messages.
RFC 2058

UDP Header

Presentation_ID

RADIUS Header

2006 Cisco Systems, Inc. All rights reserved.

EAP Payload

How Cisco Secure ACS Operates

Variety of
Authentication
Methods

TACACS+
RADIUS

AAA Client
(Network Access Server)

Local or
Variety of External
Databases

Cisco Secure ACS

AAA Client/Server
-AAA Client defers authorization to centralized AAA server
- Highly scalable
- Uses standards-based protocols for AAA services

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Some important points of Authentication

The process of authentication is used to verify
a claimed identity

An identity is only useful as a pointer to an applicable

policy and for accounting
Without authorization or associated policies,
authentication alone is pretty meaningless

An authentication system is only as strong as

the method of verification used

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Network Access Control Model

Device Access

ACS

LAN
Wireless

Request for Service

(Connectivity)

Backend Authentication
Support

Identity Store
Integration

RADIUS

802.1x

Protocols and Mechanism

Extensible Authentication Protocol (EAP-RFC

(EAP RFC 3748)
IEEE 802.1x framework
Use off RADIUS
S
Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

10

How RADIUS is used here ?

RADIUS acts as the transport for EAP, from the
authenticator
th ti t (switch)
( it h) tto the
th authentication
th ti ti server
(RADIUS server)
RFC for how RADIUS should support
pp EAP between
authenticator and authentication serverRFC 3579
IP Header

UDP Header RADIUS Header

EAP Payload

RADIUS is also used to carry policy instructions back to

the authenticator in the form of AV pairs

IP Header

UDP Header RADIUS Header

EAP Payload

AV Pairs

Usage guideline for 802

802.1x
1x authenticators use of
RADIUSRFC 3580
Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

11

Whats
What
s EAP ?
EAP The Extensible Authentication Protocol
A flexible protocol used to carry arbitrary authentication
information not the authentication method itself.
Rose out of need to reduce complexity of relationships
between systems and increasing
need for more elaborate and secure authentication
methods
Typically rides directly over data-link layers such as
802.1x or PPP media.
Originally specified in RFC 2284, obsolete by
RFC 3748

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

12

What does it do ?
Transports authentication information in the form of Extensible
Authentication Protocol (EAP) payloads

A switch or access point becomes a conduit for relaying EAP received in

802.1x packets to an authentication server by using RADIUS to carry EAP
information
Establishes and manages connection
connection; allo
allows
sa
authentication
thentication b
by
encapsulating various types of authentication exchanges; EAP messages
can be encapsulated in the packets of other protocols, such as 802.1x or
RADIUS
Three forms of EAP are specified in the standard

EAP-MD5MD5 hashed username/password

EAP-OTPone-time passwords
EAP GTC t k
EAP-GTCtoken-card
d implementations
i l
t ti
requiring
i i user iinputt

Eth
Ethernet
t Header
H d

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

802 1 H
802.1x
Header
d

EAP P
Payload
l d

13

Current Prevalent Authentication

M th d
Methods
Challenge-response-based
EAP-MD5: Uses MD5 based challenge-response for authentication
LEAP: Uses username/password authentication
EAP-MSCHAPv2: Uses username/password MSCHAPv2
challenge-response authentication

Cryptographic-based

EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism

for authentication

Tunneling
T nneling methods

PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types
in an encrypted tunnelmuch like web based SSL
EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel
EAP-FAST: Recent tunneling method designed to not require certificates at all
for deployment

Other

EAP-GTC:
EAP
GTC: Generic token and OTP authentication

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

14

IEEE 802.1x
802.1x is a client-server-based access control and authentication
protocol that restricts unauthorized devices from connecting
to a LAN through publicly accessible ports
ACS - AAA
Server

2
4

1 User activates link (ie: turns on the PC)

2 Switch requests authentication server if user is authorized to access LAN
3 Authentication server responds with authority access
4 Switch opens controlled port (if authorized) for user to access LAN
Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

15

Features and
Functions

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

16

Service Based Policy

The administrator entirely controls the ACS behavior by configuring
aggregated Service Based Policies:
How to process an access request:
do (not) authenticate / using which auth protocols /
do (not) validate posture / which posture protocols
Credential validation policies (i.e. which DB to use for auth)
Classification: map identity to user-group, map posture credentials to
posture token
posture-token
Authorization policies: map from user-group & posture-token to radius
profile

Different policies can be applied to different network access.

Example: wireless access vs. remote (VPN) access policy

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

20

ACS Features
Automatic service monitoring, database synchronization, and
importing tools for large-scale
large scale deployments
LDAP, ODBC and OTP (RSA, others) user authentication

Flexible 802.1X authentication support, including EAP-TLS,

Protected EAP (PEAP), Cisco LEAP, EAP-FAST,
EAP FAST, and EAP-MD5
EAP MD5
Downloadable ACLs for any Layer 3 device, including routers,
PIX firewalls, and VPNs (per user, per group)
Network & machine access restrictions
and filters
Device command set authorization

Detailed audit and accounting reports

Dynamic quota generation

User and device group profiles

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

21

Deployment
Scenarios

Cisco Secure ACS

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

22

Network Access Scenario

Centralized Access Control Server
Centralized
Access
Control Server
Remote User

Provider
Remote Access - VPN

ACS View

ISP AAA

Wireless User
Wireless

802.1x EAP-TLS

VPN
Concentrator

Aironet AP

Wired user

Catalyst Switch

RADIUS

User Repository
(LDAP, AD,
OTP, ODBC)

Cisco Secure
ACS

LAN

802.1x EAP-FAST

IOS Router

Enterprise

External Policy and

Audit Servers
(HCAP, GAME)

Device Administration Scenario

Network
Administrators

Routers,
Switches,
APs

Backbone

West-APs
FULL ACCESS

East

Security
Perimeter

PARTIAL

ACS
Syslog,
ACS or RA
logging
server

READ ONLY

T+ or
RADIUS
replication
SERVER ACCESS

Unix

DSMS
SERVER ACCESS

PBX

Terminal Server
System Access
Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Secure auth
mechanisms
24

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

29