Cisco Secure ACS Overview

By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com

2006 Cisco Systems, Inc. All rights reserved.

Cisco Secure Access Control System

Policy C t l d I t P li Control and Integration Point for Network Access ti P i t f N t kA Enterprise network access control platform
Remote Access (VPN) Wireless & Wired Access (LEAP, PEAP, EAP-FAST, 802.1x, etc) Administrative access control system for Cisco network devices (TACACS ) (TACACS+)

Auditing, compliance and accounting features Control point for access policy & application access integration Cisco Access Control System for management, Policy Decision Point (PDP) evaluation, reporting, and troubleshooting of access control policy

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Consistent Policy Control and Compliance

Key Scenarios y
Device Administration Remote Access Wireless and 802.1x Network Admission Control (NAC)
Posture / Audit ACS AD / LDAP CiscoWorks

Compliance features
Authentication policy (OTP, complex password)

Authorization enforcement (network access, device command authorization) ) Audit logging

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

ACS Network Access Control Point

Who?
Remote Users
Some of th S f the people some of the time
Cisco or CCX WLAN Client VPN Concentrator RADIUS

Home Office Road Warrior Campus User Guest User Cisco VPN Client Laptop Device
Dial Access

Where?
Provider
ISP AAA

Why?

User Repository (LDAP, AD, OTP, ODBC)

All of the people all of the time

Web Auth

Aironet AP

All machines

802.1x 802 1x Supplicant

Catalyst Switch

All devices

Cisco Trust Agent Posture Client IOS Router

Cisco S Ci Secure ACS

External Policy and Audit Servers (HCAP, GAME)

User, M hi U Machine, Posture

CTS D i Device Posture Client

Enterprise
NIC Controller (TRDP)

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

How is ACS used

Our customers use ACS for:
1.Authentication and authorization (privileges) of remote users (traditional RADIUS) 2.Security of wired and wireless networks (EAP) 2S it f i d d i l t k 3.Administrators' access management to network devices and applications (TACACS+) 4.Security audit reports or account billing information

Ships in two form factors: Software and Appliance ACS has been successful because it combines access security, authentication, user and administrator access, and policy control in a centralized identity framework
5

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

AAA Related Protocols

RADIUS Remote Authentication Dial In User Service TACACS+ - Terminal Access Controller Access Control System
TACACS+ is supported by the Cisco family of routers and access servers. This protocol is a completely new version of the TACACS protocol referenced b RFC 1492 t l f d by 1492.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

What is RADIUS ?
A protocol used to communicate between a network device and an authentication server or database database. Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc. Allows the communication of arbitrary value pairs using Vendor Specific Attributes (VSAs). g Can also act as a transport for EAP messages. RFC 2058

UDP Header

RADIUS Header

EAP Payload

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

How Cisco Secure ACS Operates

Variety of Authentication Methods TACACS+ RADIUS Local or Variety of External Databases

AAA Client (Network Access Server)

Cisco Secure ACS

AAA Client/Server
-AAA Client defers authorization to centralized AAA server - Highly scalable - Uses standards-based protocols for AAA services

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Some important points of Authentication

The process of authentication is used to verify a claimed identity An identity is only useful as a pointer to an applicable policy and for accounting Without authorization or associated policies, authentication alone is pretty meaningless An authentication system is only as strong as the method of verification used

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Network Access Control Model

Device Access LAN Wireless

ACS

Request for Service (Connectivity)

Backend Authentication Support

Identity Store Integration

802.1x

RADIUS

Protocols and Mechanism Extensible Authentication Protocol (EAP-RFC 3748) (EAP RFC IEEE 802.1x framework Use of RADIUS f S
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

10

How RADIUS is used here ?

RADIUS acts as the transport for EAP, from the authenticator ( it h) t the authentication server th ti t (switch) to th th ti ti (RADIUS server) RFC for how RADIUS should support EAP between pp authenticator and authentication serverRFC 3579
IP Header UDP Header RADIUS Header EAP Payload

RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs
IP Header UDP Header RADIUS Header EAP Payload AV Pairs

Usage guideline for 802 1x authenticators use of 802.1x RADIUSRFC 3580

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

11

What s Whats EAP ?

EAP The Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information not the authentication method itself. Rose out of need to reduce complexity of relationships between systems and increasing need for more elaborate and secure authentication methods Typically rides directly over data-link layers such as 802.1x or PPP media. Originally specified in RFC 2284, obsolete by RFC 3748

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

12

What does it do ?
Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloads A switch or access point becomes a conduit for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry EAP information Establishes and manages connection allo s a thentication b connection; allows authentication by encapsulating various types of authentication exchanges; EAP messages can be encapsulated in the packets of other protocols, such as 802.1x or RADIUS Three forms of EAP are specified in the standard
EAP-MD5MD5 hashed username/password EAP-OTPone-time passwords EAP-GTCtoken-card i l EAP GTC t k d implementations requiring user i t ti ii input t

Ethernet Header Eth tH d

802.1x Header 802 1 H d

EAP P l d Payload

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

13

Current Prevalent Authentication Methods M th d

Challenge-response-based
EAP-MD5: Uses MD5 based challenge-response for authentication LEAP: Uses username/password authentication EAP-MSCHAPv2: Uses username/password MSCHAPv2 challenge-response authentication

Cryptographic-based
EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication

Tunneling T nneling methods

PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnelmuch like web based SSL EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment

Other
EAP GTC: EAP-GTC: Generic token and OTP authentication

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

14

IEEE 802.1x
802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports
ACS - AAA Server

1 4 1 User activates link (ie: turns on the PC)

2 3

2 Switch requests authentication server if user is authorized to access LAN 3 Authentication server responds with authority access 4 Switch opens controlled port (if authorized) for user to access LAN
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

15

Features and Functions

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

16

Hardware/Software Platform
ACS implements identity CS p e e s de y management and AAA services CD-ROM version for any Windows 2003 server Appliance version delivered on hardened Win2003 OS Highly scalable (100 000+ (100,000+ users, thousands of RADIUS/TACACS+ devices) and feature rich feature-rich
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

17

Features Unique to the ACS Appliance

Security-hardened underlying OS. Port-based packet filtering, allowing connections only to the ports necessary for Cisco Secure ACS operation. Serial console interface for initial configuration, subsequent management of IP connections, W b i t f t f ti Web interface, and application of d li ti f upgrades and remote reboots. The serial console interface supports both serial line and Telnet connections. SNMP read only support to monitor the appliance from external read-only systems. Backup/restore of the Cisco Secure ACS data via FTP. Recovery procedures procedures. Network Timing Protocol (NTP) support for maintaining network time consistency with other appliances or network devices.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

18

ACS The Policy Based Network Controller

ACS Versions in the field:
ACS 4.0 SW (FCS 2004) -> main feature NAC Phase 2 ( L2 Posture Validation and external audit, service based policy)) ACS 4.1 SW (FCS 2006) -> main f t i feature extended logging t d dl i support, new ACS administrator management, PEAP/EAP-TLS support, Japanese Microsoft Windows Support ACS 4.2 SW (FCS 2008)

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

19

Service Based Policy

The administrator entirely controls the ACS behavior by configuring aggregated Service Based Policies:
How to process an access request: do (not) authenticate / using which auth protocols / do (not) validate posture / which posture protocols Credential validation policies (i.e. which DB to use for auth) Classification: map identity to user-group, map posture credentials to posture-token posture token Authorization policies: map from user-group & posture-token to radius profile

Different policies can be applied to different network access. Example: wireless access vs. remote (VPN) access policy

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

20

ACS Features
Automatic service monitoring, database synchronization, and importing tools for large-scale deployments large scale LDAP, ODBC and OTP (RSA, others) user authentication Flexible 802.1X authentication support, including EAP-TLS, Protected EAP (PEAP), Cisco LEAP, EAP-FAST, and EAP-MD5 EAP FAST, EAP MD5 Downloadable ACLs for any Layer 3 device, including routers, PIX firewalls, and VPNs (per user, per group) Network & machine access restrictions and filters Device command set authorization Detailed audit and accounting reports Dynamic quota generation User and device group profiles

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

21

Deployment Scenarios

Cisco Secure ACS

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

22

Network Access Scenario

Centralized Access Control Server
Centralized Access Control Server
Remote User
Remote Access - VPN
ISP AAA

Provider ACS View

Wireless User
Wireless

802.1x EAP-TLS

VPN Concentrator RADIUS User Repository (LDAP, AD, OTP, ODBC)

Aironet AP

Wired user
LAN

Catalyst Switch

Cisco Secure ACS

External Policy and Audit Servers (HCAP, GAME)

802.1x EAP-FAST

IOS Router

Enterprise

Device Administration Scenario

Network Administrators
FULL ACCESS

Routers, Switches, APs

West-APs

Backbone

East
PARTIAL

Security Perimeter

ACS
Syslog, ACS or RA logging server

READ ONLY

T+ or RADIUS
replication
SERVER ACCESS Unix

DSMS SERVER ACCESS PBX

Terminal Server System Access

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Secure auth mechanisms

24

GUI Interface/ Screen Shots

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

25

Cisco Secure ACS Accessing GUI

Remote Administrator authentication page ( http://server-name/IP:2002 ) Administrator must be configured prior to remote login. If accessed on the local system (for example, using 127.0.0.1 as the IP address) this page is not displayed and the administrator gains access.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

26

Cisco Secure ACS Home Page

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

27

NAP Network Access Profile

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

28

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

29