By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.

com

Cisco Secure Access Control System

Pli Ctl dI t ti Pitf Nt kA

Policy Control and Integration Point for Network Access

• Enterprise network access control platform Remote Access (VPN) Wireless &
Wired Access (LEAP, PEAP, EAP-FAST,
 802.1x, etc) Administrative access control system for Cisco network devices (TACACS+))

Administrative access control system for Cisco network devices (TACACS

Auditing, compliance and accounting features
Control point for access policy & application access integration
Cisco Access Control System for management, Policy Decision Point (PDP) evaluation,
reporting, and troubleshooting of access control policy
 Consistent Policy Control and Compliance

Compliance
Keyy Scenarios
Device Administration
Remote Access
Wireless and 802.1x
Network Admission Control (NAC)

Compliance features
Authentication policy (OTP, complex password…)
Authorization enforcement (network access, device command authorization…))
Audit logging
 ACS – Network Access Control Point

ACS Network Access Control Point

Who?
Home Office
Remote

802.1x Supplicant

Where? Why?
Cisco Secure ACS
How is ACS used

How is ACS used

• Our customers use ACS for:

1.Authentication and authorization (privileges) of remote users (traditional
RADIUS)
22.SSecurit ity off wiiredd andd wiirelless nettworkks (EAP)(EAP)
3.Administrators' access management to network devices and
applications (TACACS+) 4.Security audit reports or account billing
information
Ships in two form factors: Software and Appliance
ACS has been successful because it combines access security,
authentication, user and administrator access, and policy control in a
centralized identity framework
policy identity
 AAA – Related Protocols

AAA Related Protocols

• RADIUS – Remote Authentication Dial In User Service

• TACACS+ -Terminal Access Controller Access Control

SystemControl System
TACACS+ is supported by the Cisco family of routers and access servers.
This protocol is a completely new version of the TACACS t l f db RFC1492

TACACS protocol referenced by RFC 1492.

 What is RADIUS ?

What is RADIUS ?
• A protocol used to communicate between a network device and an authentication server or
database
authentication server or database.
Allows the communication of login and authentication information. i.e.. Username/Password,
OTP, etc.
Allows the communication of arbitrary value pairs using “Vendor Specific Attributes”
(VSAs).
Can also act as a transport for EAP messagges.
RFC 2058
 How Cisco Secure ACS Operates

How Cisco Secure ACS Operates

Variety ofLocal or Authentication TACACS+

Variety of ExternalMethodsMethods RADIUS

RADIUS Databases

Databases

AAA Client
 Cisco Secure ACS

Cisco Secure ACS

(Network Access Server)

• AAA Client/Server
-AAA Client defers authorization to centralized AAA server -Highly scalable

Highly scalable -Uses standards-based protocols for AAA services

Some important points of Authentication

Some important points of Authentication

The process of authentication is used to verify a claimed identity

• An identity is only useful as a pointer to an applicable policy and for
accountingpolicy and for accounting
• Without authorization or associated policies, authentication alone is
pretty meaninglessauthentication alone is pretty meaningless
An authentication system is only as strong as the method of verification
used
 Network Access Control Model

Network Access Control Model

RADIUS
802.1x

Protocols and Mechanism

Extensible Authentication Protocol (EAP RFC 3748)
Extensible Authentication Protocol (EAP-RFC 3748)
IEEE 802.1x framework
Use off RADIUSS
How RADIUS is used here ?

How RADIUS is used here ?

• RADIUS acts as the transport for EAP, from the

( h)

auththentiticator
IP Header (swititch) to thhe authhentiicatiion server
(RADIUSUDPserver)
Header

RFC for how RADIUS should supppport EAP between authenticator and
authentication server—RFC 3579
RADIUS is also used to carry policy instructions back tothe authenticator
in the form of AV pairs

RADIUS Header EAP Payload AV Pairs

Usage guideline for 802 1x authenticators use of
Usage guideline for 802.1x authenticators use of RADIUS—RFC 3580
What’sEAP ?

What s EAP ?

EAP – The Extensible Authentication Protocol

A flexible protocol used to carry arbitrary authentication information – not
the authentication method itself.
.• Rose out of need to reduce complexity of relationshipsRose out
of need to reduce complexity of relationships between systems
and increasing need for more elaborate and secure authentication
methods

methods
Typically rides directly over data-link layers such as802.1x or PPP media.
Originally specified in RFC 2284, obsolete by RFC 3748
What does it do ?

What does it do ?
Transports authentication information in the form of Extensible Authentication Protocol (EAP)
payloads
A switch or access point becomes a conduit for relaying EAP received in802.1x packets to an
authentication server by using RADIUS to carry EAP information
• Establishes and Establishes and managesmanages connectionconnection; alloallows
aauthentication bys thentication b encapsulating various types of authentication
exchanges; EAP messages can be encapsulated in the packets of other protocols, such
as 802.1x or RADIUS
• Three forms of EAP are specified in the standard EAP-MD5—MD5 hashed
username/password EAP-OTP—one-time passwords EAPEAP-GTCGTC—tktoken-card
impllementtati tions requiring user iinputt

di ii
802 1 H d
Current Prevalent Authentication Mth d

Methods
• Challenge-response-based
EAP-MD5: Uses MD5 based challenge-response for authentication LEAP: Uses
username/password authentication EAP-MSCHAPv2: Uses username/password MSCHAPv2
challenge-response authentication
• Cryptographic-based
EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication
• TTunnelingnneling methodsethods
PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an
encrypted tunnel—much like web based SSL
EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel
EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment
• Other
EAP-GTC: Generic token and OTP authentication

EAP GTC: Generic token and OTP authentication

 IEEE 802.1x

IEEE 802.1x

ACS -AAA

Authentication server responds with authority access Switch opens controlled port
(if authorized) for user to access LAN
Hardware/Software Platform

Hardware/Software Platform

ACS impplements identityy management and AAA services

CD-ROM version for any Windows 2003 server

.• Appliance version deliveredAppliance version delivered on

hardened Win2003 OS

• Highly scalable (100 000+Highly scalable (100,000+ users,

thousands of
RADIUS/TACACS+ devices) and feature rich

and feature-rich
 Features Unique to the ACS Appliance

Features Unique to the ACS Appliance

Security-hardened underlying OS.

Port-based packet filtering, allowing connections only to the ports necessary for Cisco
Secure ACS operation.
Serial console interface for initial configuration, subsequent management of IP f IP
connectitions, Web i b interface, andd applicatition of
Wf lif
upgrades and remote reboots. The serial console interface supports
both serial line and Telnet connections.

• SNMP read-only support to monitor the appliance from external SNMP

read only support to monitor the appliance from external systems.

• Backup/restore of the Cisco Secure ACS data via FTP.

• Recovery proceduresRecovery procedures.
Network Timing Protocol (NTP) support for maintaining network time consistency with
other appliances or network devices.
 ACS – The Policy Based Network Controller

Controller
• ACS Versions in the field:

ACS 4.0 SW (FCS 2004) ->main feature NAC Phase 2 ( L2 Posture Validation and

L2 Posture Validation and external audit, service based policy))

ACS 4.1 SW (FCS 2006) ->ift tddl i

main feature extended loggingsupport, new ACSadministrator

management,PEAP/EAP-TLS support,Japanese Microsoft Windows

Japanese Microsoft Windows Support

ACS 4.2 SW (FCS 2008)
 Service Based Policy

Service Based Policy

• The administrator entirely controls the ACS behavior by configuring aggregated
Service Based Policies:

aggregated Service Based Policies:

–How to process an access request: do (not) authenticate / using which auth protocols / do (not)
validate posture / which posture protocols…
do (not) validate posture / which posture protocols… –Credential validation policies
(i.e. which DB to use for auth)… –Classification: map identity to user-group, map
posture credentials to
postureposture-tokentoken… –Authorization policies: map from user-group &
posture-token to radius profile…
• Different policies can be applied to different network access.
Example: wireless access vs. remote (VPN) access policy
 ACS Features

ACS Features

• Automatic service monitoring, database synchronization, andimporting tools for

large-scale deployments importing tools for large scale deployments

• LDAP, ODBC and OTP (RSA, others) user authentication

• Flexible 802.1X authentication support, including EAP-TLS, Protected EAP (PEAP),
Cisco LEAP, EAP-FAST, and EAP-MD5Protected EAP (PEAP), Cisco LEAP, EAP
FAST, and EAP MD5
• Downloadable ACLs for any Layer 3 device, including routers, PIX® firewalls, and
VPNs (per user, per group)
• Network & machine access restrictionsNetwork & machine access restrictions and
filters
• Device command set authorization
• Detailed audit and accounting reportsDetailed audit and accounting reports
Dynamic quota generation
User and device group profiles
Cisco Secure ACS
Device Administration Scenario

Device Administration Scenario

Routers,Network
Switches,Administrators Backbone

APs
West-APs
 Cisco Secure ACS – Accessing GUI

Cisco Secure ACS Accessing GUI

Remote Administrator authentication page ( http://server-name/IP:2002 )Administrator must be

configured prior to remote login.If accessed on the local system (for example, using 127.0.0.1 as the IP
address) this page is not displayed and the administrator gains access.
Cisco Secure ACS Home Page

Cisco Secure ACS Home Page

NAP – Network Access Profile

NAP Network Access Profile