P li Control
Policy
C t l and
d Integration
I t
ti Point
P i t for
f Network
N t
k Access
A
Enterprise network access control platform
Remote Access (VPN)
Wireless & Wired Access (LEAP, PEAP, EAP-FAST,
802.1x, etc)
Administrative access control system for Cisco network devices (TACACS
(TACACS+))
Presentation_ID
Device Administration
Remote Access
Compliance features
CiscoWorks
ACS
AD / LDAP
Posture / Audit
Home Office
Road Warrior
Campus User
Guest User Cisco VPN Client
Laptop
Device
Where?
Why?
Provider
Dial Access
ISP AAA
User Repository
(LDAP, AD,
OTP, ODBC)
Cisco or CCX
WLAN Client
VPN
Concentrator
All of the
people all
of the time
Web Auth
All machines
Aironet AP
802 1x Supplicant
802.1x
Catalyst Switch
All devices
RADIUS
Cisco S
Ci
Secure
ACS
IOS Router
User, M
U
Machine,
hi
Posture
Presentation_ID
CTS D
Device
i
Posture Client
Enterprise
NIC Controller
(TRDP)
Presentation_ID
Presentation_ID
What is RADIUS ?
A protocol used to communicate between a network device and an
authentication server or database
database.
UDP Header
Presentation_ID
RADIUS Header
EAP Payload
TACACS+
RADIUS
AAA Client
(Network Access Server)
Local or
Variety of External
Databases
AAA Client/Server
-AAA Client defers authorization to centralized AAA server
- Highly scalable
- Uses standards-based protocols for AAA services
Presentation_ID
Presentation_ID
ACS
LAN
Wireless
Backend Authentication
Support
Identity Store
Integration
RADIUS
802.1x
10
EAP Payload
IP Header
EAP Payload
AV Pairs
11
Whats
What
s EAP ?
EAP The Extensible Authentication Protocol
A flexible protocol used to carry arbitrary authentication
information not the authentication method itself.
Rose out of need to reduce complexity of relationships
between systems and increasing
need for more elaborate and secure authentication
methods
Typically rides directly over data-link layers such as
802.1x or PPP media.
Originally specified in RFC 2284, obsolete by
RFC 3748
Presentation_ID
12
What does it do ?
Transports authentication information in the form of Extensible
Authentication Protocol (EAP) payloads
Eth
Ethernet
t Header
H d
Presentation_ID
802 1 H
802.1x
Header
d
EAP P
Payload
l d
13
Cryptographic-based
Tunneling
T nneling methods
PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types
in an encrypted tunnelmuch like web based SSL
EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel
EAP-FAST: Recent tunneling method designed to not require certificates at all
for deployment
Other
EAP-GTC:
EAP
GTC: Generic token and OTP authentication
Presentation_ID
14
IEEE 802.1x
802.1x is a client-server-based access control and authentication
protocol that restricts unauthorized devices from connecting
to a LAN through publicly accessible ports
ACS - AAA
Server
2
4
15
Features and
Functions
Presentation_ID
16
Presentation_ID
20
ACS Features
Automatic service monitoring, database synchronization, and
importing tools for large-scale
large scale deployments
LDAP, ODBC and OTP (RSA, others) user authentication
Presentation_ID
21
Deployment
Scenarios
Presentation_ID
22
Provider
Remote Access - VPN
ACS View
ISP AAA
Wireless User
Wireless
802.1x EAP-TLS
VPN
Concentrator
Aironet AP
Wired user
Catalyst Switch
RADIUS
User Repository
(LDAP, AD,
OTP, ODBC)
Cisco Secure
ACS
LAN
802.1x EAP-FAST
IOS Router
Enterprise
Routers,
Switches,
APs
Backbone
West-APs
FULL ACCESS
East
Security
Perimeter
PARTIAL
ACS
Syslog,
ACS or RA
logging
server
READ ONLY
T+ or
RADIUS
replication
SERVER ACCESS
Unix
DSMS
SERVER ACCESS
PBX
Terminal Server
System Access
Presentation_ID
Secure auth
mechanisms
24
Presentation_ID
29