Professional Documents
Culture Documents
com
• Enterprise network access control platform Remote Access (VPN) Wireless &
Wired Access (LEAP, PEAP, EAP-FAST,
802.1x, etc) Administrative access control system for Cisco network devices (TACACS+))
Compliance
Keyy Scenarios
Device Administration
Remote Access
Wireless and 802.1x
Network Admission Control (NAC)
Compliance features
Authentication policy (OTP, complex password…)
Authorization enforcement (network access, device command authorization…))
Audit logging
ACS – Network Access Control Point
Who?
Home Office
Remote
802.1x Supplicant
Where? Why?
Cisco Secure ACS
How is ACS used
What is RADIUS ?
• A protocol used to communicate between a network device and an authentication server or
database
authentication server or database.
Allows the communication of login and authentication information. i.e.. Username/Password,
OTP, etc.
Allows the communication of arbitrary value pairs using “Vendor Specific Attributes”
(VSAs).
Can also act as a transport for EAP messagges.
RFC 2058
How Cisco Secure ACS Operates
Databases
AAA Client
Cisco Secure ACS
• AAA Client/Server
-AAA Client defers authorization to centralized AAA server -Highly scalable
RADIUS
802.1x
auththentiticator
IP Header (swititch) to thhe authhentiicatiion server
(RADIUSUDPserver)
Header
RFC for how RADIUS should supppport EAP between authenticator and
authentication server—RFC 3579
RADIUS is also used to carry policy instructions back tothe authenticator
in the form of AV pairs
What s EAP ?
methods
Typically rides directly over data-link layers such as802.1x or PPP media.
Originally specified in RFC 2284, obsolete by RFC 3748
What does it do ?
What does it do ?
Transports authentication information in the form of Extensible Authentication Protocol (EAP)
payloads
A switch or access point becomes a conduit for relaying EAP received in802.1x packets to an
authentication server by using RADIUS to carry EAP information
• Establishes and Establishes and managesmanages connectionconnection; alloallows
aauthentication bys thentication b encapsulating various types of authentication
exchanges; EAP messages can be encapsulated in the packets of other protocols, such
as 802.1x or RADIUS
• Three forms of EAP are specified in the standard EAP-MD5—MD5 hashed
username/password EAP-OTP—one-time passwords EAPEAP-GTCGTC—tktoken-card
impllementtati tions requiring user iinputt
di ii
802 1 H d
Current Prevalent Authentication Mth d
Methods
• Challenge-response-based
EAP-MD5: Uses MD5 based challenge-response for authentication LEAP: Uses
username/password authentication EAP-MSCHAPv2: Uses username/password MSCHAPv2
challenge-response authentication
• Cryptographic-based
EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication
• TTunnelingnneling methodsethods
PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an
encrypted tunnel—much like web based SSL
EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel
EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment
• Other
EAP-GTC: Generic token and OTP authentication
IEEE 802.1x
ACS -AAA
Authentication server responds with authority access Switch opens controlled port
(if authorized) for user to access LAN
Hardware/Software Platform
Hardware/Software Platform
and feature-rich
Features Unique to the ACS Appliance
Controller
• ACS Versions in the field:
ACS 4.0 SW (FCS 2004) ->main feature NAC Phase 2 ( L2 Posture Validation and
ACS Features
APs
West-APs
Cisco Secure ACS – Accessing GUI