Scribd Logo
Upload

Welcome to Scribd!

  • Session 08

    Uploaded by

    bouzid.salim47
    2 views8 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views8 pages

    Session 08

    Uploaded by

    bouzid.salim47

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Session 08

    • 802.1x.
    • An IEEE standard that is used to implement port-based access control.
    • Access device will allow traffic on the port only after the device has been authenticated and authorized.
    • 802.1x main roles:
    • Authentication server.
    • An entity that provides an authentication service to an authenticator.
    • Referred to as the policy decision point (PdP).
    • Cisco ISE is an example of an authentication server.
    • Supplicant.
    • An entity that seeks to be authenticated by an authenticator.
    • For ex. a client laptop connected to a switch port.
    • Authenticator.
    • An entity that facilitates authentication of other entities attached to the same LAN.
    • Referred to as the policy enforcement point (PeP).
    • Cisco switches, wireless routers, and access points are examples of authenticators.

    • 802.1x uses the following protocols:


    • Extensible Authentication Protocol (EAP).
    • An authentication protocol used between the supplicant and the authentication server to transmit authentication
    information.
    • EAP over LAN (EAPoL).
    • Used to encapsulate EAP packets to be transmitted from the supplicant to the authenticator.
    • RADIUS or Diameter.
    • The AAA protocol used for communication between the authenticator and authentication server.

    SCOR Page 1

    • The 802.1x port-based access control includes four phases.


    • Session initiation.
    • Either by the authenticator or by the supplicant.
    • Session authentication.
    • The authenticator extracts the EAP message from the EAPoL frame and sends a RADIUS Access-Request to
    the authentication server.
    • Session authorization.
    • If the authentication server can authenticate the supplicant, it will send a RADIUS Access-Accept to the
    authenticator with additional authorization information.
    • Session accounting.
    • This represents the exchange of accounting RADIUS packets between the authenticator and the authentication
    server.

    • VLAN ACL (VLAN map).


    • Used to limit the traffic within a specific VLAN.
    • Can apply a MAC access list, a Layer 3 ACL, and a Layer 4 ACL to the inbound direction of a VLAN.

    • Security Group Based ACL.


    • ACL that implements access control based on the security group assigned to a user

    • Downloadable ACL.
    • An ACL that can be applied dynamically to a port.

    • CISCO IDENTITY SERVICES ENGINE (ISE).


    • The centralized AAA and policy engine solution from Cisco.
    • Centralizes network access control for wired, wireless, or VPN users.
    • Network monitoring and reporting.
    • Security posture.
    • Network visibility and host identification by profiling
    • Simplifies the experience of guest users
    • Great support for bring-your-own-device (BYOD)

    SCOR Page 2
    • Great support for bring-your-own-device (BYOD)
    • Leverages Cisco TrustSec technology.

    • Supports TACACS+ and RADIUS AAA services, as well as integration with Duo

    SCOR Page 3

    SCOR Page 4
    SCOR Page 5
    • ISE can enforce policies (also known as authorization) after performing authentication.

    • Posture assessment.
    • A set of rules in a security policy that define a series of checks before an endpoint is granted access to the
    network.
    • Include the installation of operating system patches, host-based firewalls, antivirus and anti-malware software,
    disk encryption, and more.

    SCOR Page 6
    • Change of Authorization (CoA).
    • Allows a RADIUS server to adjust an active client session.

    • CONFIGURING RADIUS AUTHENTICATION


    • RADIUS authentication is used in multiple scenarios: Remote Access VPN, Secure Network Access, 802.1x,
    and more.
    • The default behavior of 802.1X is to deny access to the network when an authentication fails.
    • There are multiple methods of authentication on a switch port:
    • 802.1X (dot1x)
    • MAB
    • WebAuth

    • The default behavior of an 802.1X-enabled port is to authorize only a single MAC address per port.
    • Multi-Auth mode allows virtually unlimited MAC addresses per switch port, and requires an authenticated
    session for every MAC address.

    SCOR Page 7
    session for every MAC address.

    • When you first register a Cisco ISE node as a secondary node, full replication starts automatically.
    • Then incremental replication is performed on a periodic basis.

    SCOR Page 8

    You might also like