Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract
Cisco Identity-Based Networking Services (IBNS)
provides customized access control for wired LAN
networks.
Cisco IBNS is increasingly important in campus networks
as enterprises look for security, visibility, and convergence
at the access edge.
Using IEEE 802.1X and supplementary technologies,
Cisco IBNS is a network solution that provides the
foundation for dynamic, user-differentiated policy and
advanced network intelligence.
Identity-Enabled
Networking
2008 Cisco Systems, Inc. All rights reserved.
Network
Increase Network
Visibility
Compliance
2008 Cisco Systems, Inc. All rights reserved.
Contractors,
Partners, and
Guests
7
Authentication Server:
Client
Cisco
SSC
Back-End Database
AD, LDAP
Authentication Server
Authenticator
Layer 4 Link
Actual
Authentication
Method Is Policy
Dependent
RELAY
11
EAP in Context
Supplicant
Cisco
SSC
Authentication Server
Authenticator
Layer 2 Point to Point
Layer 4 Link
EAPoL Start
EAP ID Request
EAP ID Response
EAP Response: Alice
EAP Request:
Send Tunneled Password
EAP Response:
Tunneled Password
EAP Success
EAP Request:
Send Tunneled Password
EAP Response:
Tunneled Password
EAP SuccessLet Alice on
VLAN 10
12
Method
Client
Credential
EAP-TLS
Client
Not required
Highly secure
certificate
Username
Server-certified Does not
and password TLS tunnel
require client
certificate
PAC
Server PAC
Requires no
certificates
PEAPMSCHAPv2
EAP-FAST
Basis for
Encryption
Main Benefit
13
Client support
Windows XP supports EAP-TLS, PEAP with EAP-MSCHAPv2, and PEAP with EAPTLS
Third-party supplicants support a large variety of EAP types, but not all
Authentication store
PEAP with EAP-MSCHAPv2 can be used only with authentication stores that
store passwords in MSCHAPv2 format
Not every identity store supports all EAP types
14
Authentication Server
Authenticator
Layer 3 Link
EAPoL Start
EAP ID Request
EAP ID Response
EAP Response: Alice
EAP Request: PEAP
EAP Request: PEAP
EAP Response: PEAP
Client Hello
PEAP Exchange
EAP Success
IP Header
UDP Header
RADIUS Header
EAP Payload
IP Header
UDP Header
RADIUS Header
EAP Payload
AV Pairs
16
RADIUS in Context
Supplicant
Cisco
SSC
Authentication Server
Authenticator
Layer 2 Point to Point
Layer 3 Link
EAPoL Start
EAP ID Request
EAP ID Response
RADIUS Access Request
[AVP: EAP Response: Alice]
EAP Request: PEAP
EAP Response: PEAP
EAP Success
Multiple
ChallengeRequest
Exchanges
Possible
Next Section
Wired IEEE 802.1X Port-Based
Access Deployment
18
Remote-access VPN
Relatively new technology
Required a client from the beginning
19
RADIUS
Authenticator
(Switch, Access
Point, Etc.)
R
A
D
I
U
S
Authentication
Server
(Cisco
Secure ACS,
Etc.)
No visibility
No access control
Switch Port
CP
DH TP
TF
B5
KR
TP
HT
?
User
21
No visibility (yet)
Strict access control
Switch Port
CP
DH TP
TF
B5
KR
TP
L
HT
Po
EA
User
22
Switch Port
Looks the
Same as
Without
IEE 802.1X
CP
DH TP
TF
B5
KR
TP
HT
?
Authenticated User: Sally
23
C
DH
TP
TF
Offline
Switch Port
L
Po
A
E
No EAPoL = No Access
24
Clientless device
Host asset
management
Operation cost
IPT integration
25
End-Point Host
No Response
No Response
Link Up
EAP ID Request
EAP ID Request
EAP ID Request
0:30
0:20
0:10
0:05
0:01
0:00
Timeout
0:30
0:20
0:10
0:05
0:01
0:00
Timeout
RADIUS
No Response
Fallback to MAB
Learn MAC
Port Enabled
7
8
RADIUS Access
Request: 00.0a.95.7f.de.06
RADIUS Access Accept
00.0a.95.7f.de.06
26
27
SNMP
DHCP
NAC
Profiler
Server
interface VLAN 30
ip helper-address 10.100.10.215
28
NAC Profiler
Query MAC Database After Deploying IEEE 802.1X
1.
2.
NAC Profiler
Server
4.
5.
1
00-18-f8-09-cf-d7
Port Enabled
3
LDAP Success
3.
LDAP : 00-18-f8-09-cf-d7
using LDAP.
ACS
29
Next Section
Open Mode
30
Sw i t
ch P
or t
EA
31
ic
cif
e
Sp
CP
H
D
PX
e
erv
r ve
e
S
C
DH
TP
T
H
TP
F
T
S
TP
T
H
EA
32
Wired Ethernet
End Points
DHCP
DNS
DI
RA
US
PXE
Server
10.100.10.117
EAP
DHCP
ANY
DNS
ANY
DHCP
DNS
PXE
10.100.10.116
PXE
Slide Source: Ken Hook
IP: 10.100.60.200
(After Authentication)
(Before
Authentication)
6506-2#show tcam interface g1/13 acl in ip
permit
permit
ip
tcphost
any 10.100.60.200
any established
any
match-any
permit
udp
tcp any any established
eq bootps match-any
permit
udp any host
any eq
10.100.10.116
bootps
eq domain
permit
udp any host 10.100.10.116
10.100.10.117 eq tftp
domain
deny
permit
ip
udp
any
any
any
host 10.100.10.117 eq tftp
deny
ip any any
33
Next Section
Flexible Authentication (FlexAuth)
34
Flexible Authentication
Host Roulette
Choice of Policy Enforcement
Mechanisms: VLAN, Downloadable
per-User ACL, and URL
Valid MAC
Address
Employee
Partner
Host
802.1X
Guest
Client
User
Change
Faculty
Valid
MAC
Addr
Guest
User
802.1X
Client
Sub
Contractor
1X
EAP
Unknown MAC AccessAccept with URL
Redirect
MAB
MAB
Known MACAccess Accept
Port Authorized
WEB
Valid
Host
Asset
URL
interface GigabitEthernet1/13
authentication host-mode multi-domain
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
dot1x pae authenticator
authentication violation restrict
authentication fallback WEB-AUTH
mab
35
Next Section
IP Telephony Integration
36
k
Lin
Do
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
wn
MODE
3 4
5 6
7 8
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
2 IEEE802.1XMachineStateDependsonLinkState
1 TwoDevicesperPort
Catalyst 3750 SERIES
1 2
?????
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
3 4
5 6
7 8
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
Security Violation
2 PCLinkStateIsUnknowntoSwitch
37
IEEE 802.1X
Voice
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
Data
MODE
10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
38
SSC
EAP
1
2
1.
2.
3.
4.
39
MDA in Action
3750-1(config-if)#do
3750-1(config-if)#do sh
sh dot1x
dot1x int
int G1/0/5
G1/0/5 details
details
<...>
<...>
Dot1x
Dot1x Authenticator
Authenticator Client
Client List
List
------------------------------------------------------------Domain
== DATA
Domain
DATA
Supplicant
=
0014.5e42.66df
Supplicant
= 0014.5e42.66df
Auth
SM
State
=
Auth SM State
= AUTHENTICATED
AUTHENTICATED
Auth
BEND
SM
State
=
IDLE
Auth BEND SM State
= IDLE
Port
Status
=
Port Status
= AUTHORIZED
AUTHORIZED
Authentication
Method
=
Dot1x
Authentication Method
= Dot1x
Authorized
By
=
Authorized By
= Authentication
Authentication Server
Server
Domain
Domain
Supplicant
Supplicant
Auth
Auth SM
SM State
State
Auth
BEND
Auth BEND SM
SM State
State
Port
Status
Port Status
Authentication
Authentication Method
Method
Authorized
By
Authorized By
== VOICE
VOICE
== 0016.9dc3.08b8
0016.9dc3.08b8
== AUTHENTICATED
AUTHENTICATED
== IDLE
IDLE
== AUTHORIZED
AUTHORIZED
== MAB
MAB
== Authentication
Authentication Server
Server
40
PortAuthorizedfor
0011.2233.4455Only
Catalyst 3750 SERIES
1
A
S:0011.2233.4455
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
Security Violation
B
S:6677.8899.AABB
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
3 4
5 6
7 8
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
Security Hole
S:0011.2233.4455
S:0011.2233.4455
41
SSC
Caveats:
Only for IEEE 802.1X
Devices Behind
Phone
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
3 4
5 6
7 8
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
Requires:
Logoff-Capable Phones
PC A Unplugs
Domain
Port Status
Session Cleared
Immediately by
Proxy EAPoL Logoff
EAPoL Logoff
PC B Plugs In
= DATA
= UNAUTHORIZED
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
Domain
= DATA
Supplicant
= 6677.8899.AABB
Port Status
= AUTHORIZED
Authentication Method = Dot1x
SSC
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
3 4
5 6
7 8
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
42
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
3 4
5 6
7 8
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
Device
Unplugs
Domain
= DATA
Supplicant
= 0011.2233.4455
Port Status
= AUTHORIZED
Authentication Method = MAB
Vulnerable to Security
Violations and Holes
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
Inactivity Timer
Expires
Domain
Port Status
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
= DATA
= UNAUTHORIZED
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
1X
Caveats:
Quiet devices may have to
reauthenticate; network
access denied until
reauthentication completes
Still a window of vulnerability
3 4
5 6
7 8
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
43
N EW
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
9 Session cleared
immediately
Device A Unplugs
Domain
Port Status
= DATA
= UNAUTHORIZED
9 Nothing to configure
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
SSC
Catalyst 3750 SERIES
1
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE
9 10
11 12
13 14
15 16
17 18
19 20
21 22
23 24
25 26
27 28
29 30
31 32
33 34
35 36
37 38
39 40
41 42
43 44
45 46
47 48
1X
15X 17X
31X 33X
47X
2X
16X 18X
32X 34X
48X
44
Cisco Discovery
Protocol
Notification
EAPOL Logoff
Supplicant
Inactivity Timers
Customer Benefits
Allows More Devices to Participate in the
Identity Network
Eliminates Capital and Operating Expenses for
Upgrade and Replacement of All IP Phones
45
Main Points
Cisco Identity-Based Networking Services (IBNS)
provides a security foundation for customers
New Cisco IBNS features simplify deployments and
operations
46
Additional Resources
Cisco IBNS Website:
http://www.cisco.com/go/ibns
Products:
Cisco Catalyst 6500 Series Switches
http://www.cisco.com/go/6500
Cisco Catalyst 4500 Series Switches
http://www.cisco.com/go/4500
Cisco Catalyst 3750 Series Switches
http://www.cisco.com/go/3750
Cisco Catalyst 3560 Series Switches
http://www.cisco.com/go/3560
Cisco Catalyst 2960 Series Switches
http://www.cisco.com/go/2960
47
48