Cisco Secure ACS Overview

By Igor Koudashev, Systems Engineer, Cisco Systems Australia

© 2006 Cisco Systems, Inc. All rights reserved.


Cisco Secure Access Control System
Policy C t l d I t P li Control and Integration Point for Network Access ti P i t f N t kA Enterprise network access control platform
Remote Access (VPN) Wireless & Wired Access (LEAP, PEAP, EAP-FAST, 802.1x, etc) Administrative access control system for Cisco network devices (TACACS ) (TACACS+)

Auditing, compliance and accounting features Control point for access policy & application access integration Cisco Access Control System for management, Policy Decision Point (PDP) evaluation, reporting, and troubleshooting of access control policy


© 2006 Cisco Systems, Inc. All rights reserved.


Inc. device command authorization…) ) Audit logging Presentation_ID © 2006 Cisco Systems. 3 . complex password…) Authorization enforcement (network access. All rights reserved.1x Network Admission Control (NAC) Posture / Audit ACS AD / LDAP CiscoWorks Compliance features Authentication policy (OTP.Consistent Policy Control and Compliance Key Scenarios y Device Administration Remote Access Wireless and 802.

Posture CTS D i Device Posture Client Enterprise NIC Controller (TRDP) Presentation_ID © 2006 Cisco Systems.ACS – Network Access Control Point Who? Remote Users Some of th S f the people some of the time Cisco or CCX WLAN Client VPN Concentrator RADIUS Home Office Road Warrior Campus User Guest User Cisco VPN Client Laptop Device Dial Access Where? Provider ISP AAA Why? User Repository (LDAP. M hi U Machine. ODBC) All of the people all of the time Web Auth Aironet AP All machines 802. AD. Inc.1x 802 1x Supplicant Catalyst Switch All devices Cisco Trust Agent Posture Client IOS Router Cisco S Ci Secure ACS External Policy and Audit Servers (HCAP. OTP. All rights reserved. 4 . GAME) User.

user and administrator access.Security audit reports or account billing information Ships in two form factors: Software and Appliance ACS has been successful because it combines access security. Inc. authentication. All rights reserved. . and policy control in a centralized identity framework 5 Presentation_ID © 2006 Cisco Systems.Administrators' access management to network devices and applications (TACACS+) 4.Security of wired and wireless networks (EAP) 2S it f i d d i l t k 3.How is ACS used Our customers use ACS for: 1.Authentication and authorization (privileges) of remote users (traditional RADIUS) 2.

Presentation_ID © 2006 Cisco Systems. 6 .AAA – Related Protocols RADIUS – Remote Authentication Dial In User Service TACACS+ . This protocol is a completely new version of the TACACS protocol referenced b RFC 1492 t l f d by 1492.Terminal Access Controller Access Control System TACACS+ is supported by the Cisco family of routers and access servers. All rights reserved. Inc.

All rights reserved.What is RADIUS ? A protocol used to communicate between a network device and an authentication server or database database. Username/Password. 7 . g Can also act as a transport for EAP messages. RFC 2058 UDP Header RADIUS Header EAP Payload Presentation_ID © 2006 Cisco Systems. Allows the communication of login and authentication information. etc.e. Inc.. Allows the communication of arbitrary value pairs using “Vendor Specific Attributes” (VSAs). i. OTP.

Highly scalable .Uses standards-based protocols for AAA services Presentation_ID © 2006 Cisco Systems.How Cisco Secure ACS Operates Variety of Authentication Methods TACACS+ RADIUS Local or Variety of External Databases AAA Client (Network Access Server) Cisco Secure ACS • AAA Client/Server -AAA Client defers authorization to centralized AAA server . Inc. 8 . All rights reserved.

9 . All rights reserved.Some important points of Authentication The process of authentication is used to verify a claimed identity An identity is only useful as a pointer to an applicable policy and for accounting Without authorization or associated policies. authentication alone is pretty meaningless An authentication system is only as strong as the method of verification used Presentation_ID © 2006 Cisco Systems. Inc.

Network Access Control Model Device Access LAN Wireless ACS Request for Service (Connectivity) Backend Authentication Support Identity Store Integration 802.1x RADIUS Protocols and Mechanism Extensible Authentication Protocol (EAP-RFC 3748) (EAP RFC IEEE 802. Inc.1x framework Use of RADIUS f S Presentation_ID © 2006 Cisco Systems. All rights reserved. 10 .

All rights reserved. 11 .How RADIUS is used here ? RADIUS acts as the transport for EAP. Inc. from the authenticator ( it h) t the authentication server th ti t (switch) to th th ti ti (RADIUS server) RFC for how RADIUS should support EAP between pp authenticator and authentication server—RFC 3579 IP Header UDP Header RADIUS Header EAP Payload RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs IP Header UDP Header RADIUS Header EAP Payload AV Pairs Usage guideline for 802 1x authenticators use of 802.1x RADIUS—RFC 3580 Presentation_ID © 2006 Cisco Systems.

Originally specified in RFC 2284. 12 . Inc. Rose out of need to reduce complexity of relationships between systems and increasing need for more elaborate and secure authentication methods Typically rides directly over data-link layers such as 802.What s What’s EAP ? EAP – The Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information – not the authentication method itself. All rights reserved. obsolete by RFC 3748 Presentation_ID © 2006 Cisco Systems.1x or PPP media.

allows authentication by encapsulating various types of authentication exchanges.1x Header 802 1 H d EAP P l d Payload Presentation_ID © 2006 Cisco Systems.What does it do ? Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloads A switch or access point becomes a conduit for relaying EAP received in 802. such as 802.1x packets to an authentication server by using RADIUS to carry EAP information Establishes and manages connection allo s a thentication b connection.1x or RADIUS Three forms of EAP are specified in the standard EAP-MD5—MD5 hashed username/password EAP-OTP—one-time passwords EAP-GTC—token-card i l EAP GTC t k d implementations requiring user i t ti ii input t Ethernet Header Eth tH d 802. Inc. 13 . All rights reserved. EAP messages can be encapsulated in the packets of other protocols.

tunnels other EAP types in an encrypted tunnel—much like web based SSL EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment Other EAP GTC: EAP-GTC: Generic token and OTP authentication Presentation_ID © 2006 Cisco Systems. All rights reserved.509 v3 PKI certificates and the TLS mechanism for authentication Tunneling T nneling methods PEAP: Protected EAP tunnel mode EAP encapsulator. 14 .Current Prevalent Authentication Methods M th d Challenge-response-based EAP-MD5: Uses MD5 based challenge-response for authentication LEAP: Uses username/password authentication EAP-MSCHAPv2: Uses username/password MSCHAPv2 challenge-response authentication Cryptographic-based EAP-TLS: Uses x. Inc.

1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports ACS .IEEE 802. 15 . All rights reserved.AAA Server 1 4 1 User activates link (ie: turns on the PC) 2 3 2 Switch requests authentication server if user is authorized to access LAN 3 Authentication server responds with authority access 4 Switch opens controlled port (if authorized) for user to access LAN Presentation_ID © 2006 Cisco Systems. Inc.1x 802.

All rights reserved.Features and Functions Presentation_ID © 2006 Cisco Systems. 16 . Inc.

17 .Hardware/Software Platform ACS implements identity CS p e e s de y management and AAA services CD-ROM version for any Windows 2003 server Appliance version delivered on hardened Win2003 OS Highly scalable (100 000+ (100.000+ users. Inc. All rights reserved. thousands of RADIUS/TACACS+ devices) and feature rich feature-rich Presentation_ID © 2006 Cisco Systems.

Recovery procedures procedures.Features Unique to the ACS Appliance Security-hardened underlying OS. and application of d li ti f upgrades and remote reboots. SNMP read only support to monitor the appliance from external read-only systems. The serial console interface supports both serial line and Telnet connections. W b i t f t f ti Web interface. allowing connections only to the ports necessary for Cisco Secure ACS operation. 18 . Inc. subsequent management of IP connections. Backup/restore of the Cisco Secure ACS data via FTP. Presentation_ID © 2006 Cisco Systems. All rights reserved. Serial console interface for initial configuration. Port-based packet filtering. Network Timing Protocol (NTP) support for maintaining network time consistency with other appliances or network devices.

Inc.2 SW (FCS 2008) Presentation_ID © 2006 Cisco Systems.1 SW (FCS 2006) -> main f t i feature extended logging t d dl i support.ACS – The Policy Based Network Controller ACS Versions in the field: ACS 4. PEAP/EAP-TLS support. All rights reserved.0 SW (FCS 2004) -> main feature NAC Phase 2 ( L2 Posture Validation and external audit. new ACS administrator management. 19 . service based policy)) ACS 4. Japanese Microsoft Windows Support ACS 4.

map posture credentials to posture-token… posture token –Authorization policies: map from user-group & posture-token to radius profile… Different policies can be applied to different network access. 20 . remote (VPN) access policy Presentation_ID © 2006 Cisco Systems. which DB to use for auth)… –Classification: map identity to user-group.Service Based Policy The administrator entirely controls the ACS behavior by configuring aggregated Service Based Policies: –How to process an access request: do (not) authenticate / using which auth protocols / do (not) validate posture / which posture protocols… –Credential validation policies (i. Inc. Example: wireless access vs. All rights reserved.e.

and EAP-MD5 EAP FAST. and VPNs (per user. including EAP-TLS. 21 . EAP-FAST. database synchronization. All rights reserved. Protected EAP (PEAP). others) user authentication Flexible 802. ODBC and OTP (RSA. EAP MD5 Downloadable ACLs for any Layer 3 device. and importing tools for large-scale deployments large scale LDAP.ACS Features Automatic service monitoring. per group) Network & machine access restrictions and filters Device command set authorization Detailed audit and accounting reports Dynamic quota generation User and device group profiles Presentation_ID © 2006 Cisco Systems.1X authentication support. Cisco LEAP. including routers. PIX® firewalls. Inc.

All rights reserved. Inc.Deployment Scenarios Cisco Secure ACS Presentation_ID © 2006 Cisco Systems. 22 .

Network Access Scenario Centralized Access Control Server Centralized Access Control Server Remote User Remote Access .1x – EAP-TLS VPN Concentrator RADIUS User Repository (LDAP. OTP. GAME) 802. AD.VPN ISP AAA Provider ACS View Wireless User Wireless 802.1x – EAP-FAST IOS Router Enterprise . ODBC) Aironet AP Wired user LAN Catalyst Switch Cisco Secure ACS External Policy and Audit Servers (HCAP.

Inc. ACS or RA logging server READ ONLY T+ or RADIUS replication SERVER ACCESS Unix DSMS SERVER ACCESS PBX Terminal Server System Access Presentation_ID © 2006 Cisco Systems.Device Administration Scenario Network Administrators FULL ACCESS Routers. Switches. APs West-APs Backbone East PARTIAL Security Perimeter ACS Syslog. Secure auth mechanisms 24 . All rights reserved.

GUI Interface/ Screen Shots Presentation_ID © 2006 Cisco Systems. All rights reserved. Inc. 25 .

1 as the IP address) this page is not displayed and the administrator gains access.0. 26 . Inc. If accessed on the local system (for example. using 127. All rights reserved.0. Presentation_ID © 2006 Cisco Systems.Cisco Secure ACS – Accessing GUI Remote Administrator authentication page ( http://server-name/IP:2002 ) Administrator must be configured prior to remote login.

Inc. All rights reserved.Cisco Secure ACS Home Page Presentation_ID © 2006 Cisco Systems. 27 .

All rights reserved.NAP – Network Access Profile Presentation_ID © 2006 Cisco Systems. 28 . Inc.

Inc. All rights reserved.Presentation_ID © 2006 Cisco Systems. 29 .

Sign up to vote on this title
UsefulNot useful