Cisco Identity-Based Networking Service
Cisco Identity-Based Networking Service (IBNS) is an
integrated solution combining several Cisco products that offer authentication,
access control, and user policies to secure network connectivity and resources.
IBNS offer greater security with cost-effective management .
Cisco IBNS provides the network with the following services
and capabilities:
1. User and Device Authentication
2.
Mapping the identity of a network entity to a
defined set of policies configured by management.
3.
Granting or denying network access, at the port
level, based on configured authorization policies.
4.
Enforcement of additional policies.
>> These capabilities are introduced when a Cisco
end-to-end system is implemented with the CISCO CATALYST Family of switches ,
wireless LAN access points and controllers and cisco ACS.
>> Additional Component of the system includes an IEEE 802.1x compliant client OS (such as Win Xp) , X.509 PKI, Cisco IP phone).
>> With 802.1x , you can set up two different DHCP pools, you can assign in one address range to device that can authenticate properly, and for a device that doesn’t offer the right credentials, you can assign them an address in another address range.
>> When a teleworker starts up or connect the PC on LAN, the PC usually first requests its network identity (IP address) and other need information from a DHCP server: for PCs enabled for 802.1X , the first requests is an Extensible Authenication Protocol over LAN (EAPOL) request .
CISCO IBNS Port-Based Access Control:
End User----------------------------Cisco Cat 2950 ------------------------Authentication Server (ACS/RADIUS)
1----EAPOL-start----------à
ß-----Login
Request------2
3-----Login
Response----à
4--Check
with policy DB--à
5PolicyDBconfirmIDandgrant access
ß---Policy DB informs
switch-----6
In compliance with the IEEE 802.1X standard , Cisco Cat
switch can perform basic port-based authentication and NETWORK ACCESS CONTROL
(NAC).
Once the IEEE 802.1x-compliant client s/w is configured on
the end device the cisco CAT running IEEE 802.1x feature authentication the
requesting user or system in conjuction with a back-end CISCO ACS or other
Radius server.
IEEE
802.1x:
802.1x is a protocol standard , designed to provide
port-based network access.
IEEE 802.1x authenticates network clients using information
unique to the client and with credentials known only to the client, this
service is called port-level authentication.
>Until THE CLIENT IS AUTHENTICATED, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), CDP, and STP traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
>IEEE 802.1x provides an encapsulation definition for the transport of EAP at the MAC layer over any PPP or IEEE 802 media.
>IEEE 802.1x enables the implementation of port-based NAC to a network device.
802.1x
Components:
1) Supplicant : ex client
2) Authenticator (Proxy): CAT Switch , Network Access
Device(NAD)
3) Authentication Server: AAA and RADIUS server
EAPOL working between Supplicant and Authenticator
RADIUS working between Authenticator and Authentication
Server
How
802.1x works:
For each 802.1x switch port, the switch creates two Virtual access points at each port.
1)
Controlled Port:
The controlled port is open only when the device connected to the port
has been authorized by 802.1x .
2)
Uncontrolled Port: provides a path for EAPOL traffic
only.
Authentication
Initiation and Message Exchange:::::
Client-------------------------------------------NAD----------------------------------------Server(ACS)
ß---EAPOL-------------------------à ß---------RADIUS----------------à
ß-------------------------------------------------------------------------------------------------------à
The actual
authentication conversation occurs between the client and the
Authentication
server using EAP. The authenticator is aware of this activity,
But it is just
an intermediary.
Control
Over Port Authorization State:::::::
We can control port authorization state by using the dot1x port-control interface configuration command and these keywords:
1) Force-authorized : This keywords disables 802.1x and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1x-based authentication of client. This is the default setting.
2)
Force-unauthorized: Ignoring all attempts by the
client to authenticate. The switch cant provide authentication service to the
client through the interface.
3)
Auto:: This keywords enables 802.1x
authentication and causes the port to begin in the unauthorized state ,
allowing only EAPOL frames to be sent and received through the port. The
authentication begin when the link state of the port transitions from down to
up , or when an EAPOL-start frame is received . The switch requests the
identity of the client and begins relaying authentication messages between the
client and the authentication server.
When a client logs off , it sends
an EAPOL-logoff message, causing the switch port to transition to the
unauthorized state.
IEEE 802.1x ports can be configured for single-host or multiple-host mode.
A flexible transport protocol used to carry arbitrary authentication information-not the authentication method itself.
Current Prevalent Authentication Methods:
. EAP-MD5: Uses MD5-based challenge-response for authentication
2) Cryptographic-based
.EAP-TLS: Uses x.509 v3 PKI cert and the TLS mechanism for authentication
3) Tunneling Methods
. PEAP : PEAP tunnel mode EAP encapsulator , tunnel other EAP types in an encrypted tunnel-much like Web-based SSL
4) Other:
. EAP-GTC : Generic token and OTP authentication
IEEE 802.1x Host MODE:
IEEE 802.1x ports can be configured for single-host or multiple-host mode.
a)
Single-Host:
>Only one client can be connected to the IEEE 802.1x-enabled switch
port.
>The switch detects the client by sending
an EAPOL frame when the port link state changes to the up state. If a client
leaves or is replaced with another, the switch changes the port link state to
down, and the port returns to the unauthorized state.
b) Multiple-Host Mode:
b) Multiple-Host Mode:
> Multiple Host may be attached
to a single IEEE 802.1x-enabled port.
>only one of the attached
clients must be authorized for all clients to be granted network access.
>if the port becomes
unauthorized (reauthentication fails or an EAPOL-logoff message is received),
the switch denies network access to all of the attached clients.
What is EAP(Extensible Authentication Protocol)?::::::
A flexible transport protocol used to carry arbitrary authentication information-not the authentication method itself.
EAP, based on IETF 802.1x, is an
end-to-end framework that allows the creation of authentication types without
changing AAA client configurations.
Characteristics:
1.
An extensible of PPP to provide additional
authentication features.
2.
A flexible protocol used to carry arbitrary
authentication info.
3.
Typically rides on top of another protocol, such
as 802.1x or RADIUS.
4.
Support multiple authentication types:
a)
EAP-MD5: Plain Password hash (Challenge
Handshake Authentication Protocol [CHAP]over EAP)
b)
EAP-Transport Layer Security (TLS) (based on
X.509 cert)
c)
Lightweight EAP (LEAP) (also called EAP-Cisco
wireless)
d)
Protected EAP (PEAP)
e)
EAP-Flexible Authentication via secure Tunneling
(FAST)
Current Prevalent Authentication Methods:
1) Challenge-response-based
. EAP-MD5: Uses MD5-based challenge-response for authentication
.LEAP: Uses username/password
authentication
.EAP-MS-CHAPv2: Uses
username.password MSCHAPv2
2) Cryptographic-based
.EAP-TLS: Uses x.509 v3 PKI cert and the TLS mechanism for authentication
3) Tunneling Methods
. PEAP : PEAP tunnel mode EAP encapsulator , tunnel other EAP types in an encrypted tunnel-much like Web-based SSL
. EAP-Tunneled TLS (TTLS): Other EAP
methods over an extended EAP-TLS encrypted tunnel
.EAP-FAST : Recent tunneling method
designed to not require cert at all for deployment.
4) Other:
. EAP-GTC : Generic token and OTP authentication
0 responses to “Cisco Identity-Based Networking Service ”