Kompetenčné centrum. Martin Jenčo V 1.0

Transcription

1 Kompetenčné centrum Martin Jenčo V 1.0

2 Cisco Secure ACS v5.1

3 Table of Contents Identity ACS v5.1 overview ACS v5.1 feature Rule-based policy model Demo Management Monitoring and Reporting Nazev skoleni a verze Copyright Alef Nula, a.s. 3

4 Table of Contents Integration with Windows AD and LDAP Runtime system, HA Migration Not supported Licensing Platform option More Information Nazev skoleni a verze Copyright Alef Nula, a.s. 4

5 Table of Contents Identity Tacacs, Radius ACS overview ACS v5.1 overview ACS v5.1 feature Rule-based policy model Demo Management Monitoring and Reporting Nazev skoleni a verze Copyright Alef Nula, a.s. 5

6 Identity Identity management Local management (single device) Central user management (corporate network) (Cisco ACS, MS AD, LDAP) Internet Nazev skoleni a verze Copyright Alef Nula, a.s. 6

7 Identity AAA Authentication (Who you are) Authorization (What you can do) Accounting (What you did) Internet FTP Web RADIUS TACACS+ Corporate DMZ AUTHIN AUTHOUT Headquarters Nazev skoleni a verze Copyright Alef Nula, a.s. 7

8 Tacacs and Radius, compare RADIUS 1. RFC 2865, old UDP 1812/1813, old UDP 1645/ Client/Server model 4. Encrypts only the password TACACS+ 1. Cisco proprietary protocol 2. TCP Client/Server model 4. Encrypts the entire body of the packet 5. Multiprotocol support (Apple Talk, NetBIOS, X.25, ) 6. Two methods of commands authorization (per command, privilege level) Nazev skoleni a verze Copyright Alef Nula, a.s. 8

9 Tacacs and Radius, utilize Tacacs admin connections to the box (administrative access) Radius user connections to the company (user access) Nazev skoleni a verze Copyright Alef Nula, a.s. 9

10 ACS overview ACS is the point in the network that establishes identity integration point for network access control and identity management ACS provide: Standard AAA (Authentication, Authorization, Accounting) RADIUS services for managing user access TACACS+ functionality for managing administrative access to network devices Nazev skoleni a verze Copyright Alef Nula, a.s. 10

11 Table of Contents Identity ACS v5.1 overview ACS v5.1 feature Rule-based policy model Demo Management Monitoring and Reporting Nazev skoleni a verze Copyright Alef Nula, a.s. 11

12 ACS v5.1 overview Nazev skoleni a verze Copyright Alef Nula, a.s. 12

13 ACS v5.1 overview Nazev skoleni a verze Copyright Alef Nula, a.s. 13

14 Table of Contents Identity ACS v5.1 overview ACS v5.1 feature Architecture Rule-based policy model Demo Management Monitoring and Reporting Nazev skoleni a verze Copyright Alef Nula, a.s. 14

15 ACS 5.1 Feature Highlights Rules-based policy model Improved management interfaces Integrated monitoring, reporting and troubleshooting capabilities Improved integration with Windows AD and LDAP Revised high-performance runtime system New platform architecture, distributed deployment Support for the Cisco identity solution features and Cisco TrustSec solutions Shell Access Control Nazev skoleni a verze Copyright Alef Nula, a.s. 15

16 Architecture of ACS Key architecture 1. Includes both RADIUS & TACACS+ for complete N/W control and operation flexibility 2. Multiple identity interfaces allows flexible integration to multiple DB and ID resources 3. Replication mechanism allows deployment of multiple instances increasing availability and robustness 4. Administration of large scale deployments Device Protocols ACS Management ACS Runtime Reporting & Troubleshooting Policy & Inventory Accounting & logging Identity interfaces Posture & audit protocols 5. Industry leading reporting, troubleshooting & compliance tools Nazev skoleni a verze Copyright Alef Nula, a.s. 16

17 Table of Contents Identity ACS v5.1 overview ACS v5.1 feature Rule-based policy model Compare with Group-based Authorization policy Identity policy Access services Demo Nazev skoleni a verze Copyright Alef Nula, a.s. 17

18 Rule-based policy model Allow much grater flexibility in addressing policy needs Attribute-driven approach enables dynamic, context based policy Granular policy building blocks Nazev skoleni a verze Copyright Alef Nula, a.s. 18

19 Group-based policy model (ACS 4.x) Group based model works well if identity is the main condition for granting access Not suitable when you wish to authorize access based on more complex conditions Problem if one user is in different circumstances (location, connection profile, time, ) Permission = static Nazev skoleni a verze Copyright Alef Nula, a.s. 19

20 Rule-based/group-based model Group-based policy 1. Limited flexibility 2. Harder to manage evolving policy needs 3. Main condition for access = identity Rule-based policy 1. Attribute-driven approach enables dynamic, context based policy 2. Compose-able policy, Granular policy building blocks 3. Policies that reflect the real world 4. Better flexibility Nazev skoleni a verze Copyright Alef Nula, a.s. 20

21 Today needs Security Camera G/W Agentless asset MAC: F5 AB 8B D4 Vicky Sanchez Employee Marketing Wireline 3pm Rossi Barks Employee HR Wireline 11am Laptop Managed asset Main Laboratory 11am Sergei Balazov Contractor IT Wireline 10am Susan Kowalski Employee CEO Remote Access 10pm Bill Graves Employee R&D Wireless 2pm Francois Didier Consultant HQ - Strategy Remote Access 6pm IP Phone G/W Managed asset Finance dept. 12:00pm Printer Agentless asset MAC: B2 CF 81 A4 02 D7 Nazev skoleni a verze Copyright Alef Nula, a.s. 21

22 Rule-based policy model Static access is not enough (Who they are) Identity is too dynamic Variable dynamic circumstances: Where (location) When (time, date) How (wired, wireless, remote) Nazev skoleni a verze Copyright Alef Nula, a.s. 22

23 ACS 5: Rule-based policy Identity Information Group: Network Administrator Other Conditions Time & Date Auth. Profiles Engineering Human Resources Group: Full-time Employee + Posture Location Login VLAN Guest Group: Guest Access Type Quarantine Deny Access Authorization based on identity plus context Conditions are specified as policy rules - IF <conditions> THEN <permission> Nazev skoleni a verze Copyright Alef Nula, a.s. 23

24 Group-based policies Authorization User Groups Based on your User Group Only condition = identity Everyone in group = same restrictions Everyone in group = same permissions NetAdmin Group Permissions Full Access Restrictions None Employee Group Permissions Employee_VLAN Restrictions None Guest Group Permissions Guest_VLAN Restrictions Time_od_Day Nazev skoleni a verze Copyright Alef Nula, a.s. 24

25 Rule-based policies Identity Attributes Separate identity Separate the permission Group is now simply an identity classification No longer contains any access permissions NetAdmin Group Permissions Full Access Restrictions None Employee Group Permissions Employee_VLAN Restrictions None Guest Group Permissions Guest_VLAN Restrictions Time/Date Nazev skoleni a verze Copyright Alef Nula, a.s. 25

26 Rule-based policies Identity Attributes Session Attributes Environment Permissions NetAdmin Group Employee Group Guest Group Location Access Type Wireless Wired VPN End Station Health Time Date Usage/Quotas Etc. Full Access Read-only Access Employee_VLAN Guest_VLAN Voice_VLAN Downloadable ACL QoS Settings Nazev skoleni a verze Copyright Alef Nula, a.s. 26

27 Rule-based policies IF <conditions> THEN <Apply resulting permissions> NetAdmin Group Employee Group Guest Group Location Access Type Wireless Wired VPN End Station Health Time Date Usage/Quotas Etc. Full Access Read-only Access Employee_VLAN Guest_VLAN Voice_VLAN Downloadable ACL QoS Settings QUARANTINE DENY_ACCESS Nazev skoleni a verze Copyright Alef Nula, a.s. 27

28 Rule-based policies IF <conditions> THEN <Apply resulting permissions> NetAdmin Group Employee Group Guest Group Location Access Type Wireless Wired VPN End Station Health Time Date Usage/Quotas Etc. AUTHORIZATION PROFILE RTP campus SJ_Campus Quarantine Deny Access Nazev skoleni a verze Copyright Alef Nula, a.s. 28

29 Rule-based policies - Example Employee Group With Rule-Based Policies The same class of users ( Employee ) can get different authorization depending on non-identity conditions (e.g. posture or location) CONDITIONS RESULT ID GROUP POSTURE LOCATION Authorization PROFILE Employee Compliant RTP RTP_Campus Employee Compliant San_Jose SJ_Campus Employee Non-Compliant QUARANTINE IF NO MATCH DENY_ACCESS Nazev skoleni a verze Copyright Alef Nula, a.s. 29

30 Rule-based policies - Example Employee Group With Rule-Based Policies The same class of users ( Employee ) can get different authorization depending on non-identity conditions (e.g. posture or location) CONDITIONS RESULT ID GROUP POSTURE LOCATION Authorization PROFILE Rule Employee Employee Compliant Compliant RTP San_Jose RTP_Campus SJ_Campus Employee Non-Compliant QUARANTINE IF NO MATCH DENY_ACCESS Rule IF (ID_Group = Employee) and (Posture = Compliant) and (Location = San_Jose) THEN Apply SJ_Campus Authorization Profile Nazev skoleni a verze Copyright Alef Nula, a.s. 30

31 Rule-based policies Authorization Policy Employee Group Authorization Policy is a set of rules to select the Authorization Profile based on various conditions Authorization Policy CONDITIONS RESULT ID GROUP POSTURE LOCATION Authorization PROFILE Rule Employee Employee Compliant Compliant RTP San_Jose RTP_Campus SJ_Campus Policy Employee IF NO MATCH Non-Compliant QUARANTINE DENY_ACCESS Nazev skoleni a verze Copyright Alef Nula, a.s. 31

32 Rule-based policies Identity Policy Network Access / Device Admin Who are you?.. Username / Password What else do I know about you? Location of access point Access Method (VPN, Wireless) ACS Identity Classification Username password Identity Stores Authentication & Identity Attributes X509 Cert Identity Policy Authentication Method Identity Store X509 Certificate Certificate Profile MSCHAPv2 CORP_AD If no match Deny Access Internal ACS External Stores: Active Directory LDAP X509 Certificate Identity Policy is a set of rules to select the Identity Store based on various conditions Nazev skoleni a verze Copyright Alef Nula, a.s. 32

33 Rule-based policies Access Services Network Access POLICY: Set of RULES Identity Policy Authentication Method X509 Certificate MSCHAPv2 If no match Identity Store Certificate Profile CORP_AD Deny Access CONDITIONS RESULT Auth. Policy ID GROUP Employee Employee POSTURE Compliant Compliant LOCATIO N RTP San_Jose Authorization PROFILE RTP_Campus SJ_Campus Employee Non-Compliant QUARANTINE IF NO MATCH DENY_ACCESS ACS v5 SYSTEM Nazev skoleni a verze Copyright Alef Nula, a.s. 33

34 Rule-based policies Access Services Network Access / Device Admin Who are you?.. What else do I know about you? RADIUS Access request / TACACAS+ NAD Info, Attributes, Protocols, Date/Time, Credentials ACCESS SERVICE: Set of POLICIES RADIUS Access Service Selection Policy TACACS Identity Policy POLICY: Set of RULES Authentication Method Identity Store X509 Certificate Certificate Profile MSCHAPv2 CORP_AD If no match Deny Access Access Service A Identity Policy A Auth. Policy A Access Service B Identity Policy B Auth. Policy B Access Service C Identity Policy C Group Mapping C Ext. Policy C Auth. Policy C CONDITIONS RESULT Auth. Policy ID GROUP Employee Employee POSTURE Compliant Compliant LOCATIO N RTP San_Jose Authorization PROFILE RTP_Campus SJ_Campus ACS v5 SYSTEM Employee Non-Compliant QUARANTINE IF NO MATCH DENY_ACCESS RESPONSE Nazev skoleni a verze Copyright Alef Nula, a.s. 36

35 Table of Contents Identity ACS v5.1 overview ACS v5.1 feature Rule-based policy model Demo Management Monitoring and Reporting Nazev skoleni a verze Copyright Alef Nula, a.s. 37

36 Table of Contents Identity ACS v5.1 overview ACS v5.1 feature Rule-based policy model Demo Management Quick start Monitoring and Reporting Nazev skoleni a verze Copyright Alef Nula, a.s. 39

37 Improved management interfaces Completely rewritten GUI One click view Quick start Nazev skoleni a verze Copyright Alef Nula, a.s. 40

38 Improved management interfaces Nazev skoleni a verze Copyright Alef Nula, a.s. 41

39 Improved management interfaces Nazev skoleni a verze Copyright Alef Nula, a.s. 42

40 Improved management interfaces Nazev skoleni a verze Copyright Alef Nula, a.s. 43

41 Quick start Nazev skoleni a verze Copyright Alef Nula, a.s. 44

42 Table of Contents Identity ACS v5.1 overview ACS v5.1 feature Rule-based policy model Demo Management Monitoring and Reporting Alarms Troubleshooting tools Nazev skoleni a verze Copyright Alef Nula, a.s. 45

43 Integrated monitoring, reporting and troubleshooting capabilities Centralized Predefined reports Customized reports Proactive system and performance monitoring Treshold based alarm generation Nazev skoleni a verze Copyright Alef Nula, a.s. 46

44 ACS 4.2 Reports and Activity Nazev skoleni a verze Copyright Alef Nula, a.s. 47

45 ACS 5.1 Monitoring & reports Component Integrated advanced monitoring, reporting & troubleshooting capabilities for maximum control and visibility Easy to use GUI Flexible presentation tools Consolidation of data across an ACS deployment Nazev skoleni a verze Copyright Alef Nula, a.s. 48

46 ACS 5.1 Monitoring & Reports Benefits Global control and view of access Monitor Cisco Secure ACS health and operations from a single point Visibility into network access patterns and traffic End-to-end troubleshooting Proactively detect and troubleshoot network access issues Compliance Audit ACS administration Audit device administration activities Nazev skoleni a verze Copyright Alef Nula, a.s. 49

47 Monitoring and Reports Highlights Basic License Features Dashboard Real-time display of system and AAA health metrics Reports Pre-defined & custom reports Favorite reports Troubleshooting Reports & tools Standard Log Data Storage (1 month data age-out) Nazev skoleni a verze Copyright Alef Nula, a.s. 50

48 Monitoring and Reports Highlights Advanced Monitoring & Reporting License Features Alarms Define conditions and thresholds to generate alarms Display of alarms in Monitoring Dashboard Session Directory Directory of all sessions, showing key data (username, MAC address, IP address, session identifier, NAD, port, policy decision, posture, etc). AAA Accounting start/stop for session start/stop Troubleshooting Tools Connectivity tests (ping/nslookup/traceroute) on any device Extended Log Data Storage (up to 1 year data age-out) Nazev skoleni a verze Copyright Alef Nula, a.s. 51

49 ACS 5.1: Reports Authentication AAA Authentication summary, failed authentication summary, MAC authentication reports, access service authentication reports RADIUS/TACACS+ authentication and accounting,tacacs+ authorization Health/Operations Status Diagnostics, health summary ACS Administration Administrator logins, configuration changes Command Audit Command audit by user/device, command authorization by user/device Nazev skoleni a verze Copyright Alef Nula, a.s. 52

50 Authentication Report Snapshot Nazev skoleni a verze Copyright Alef Nula, a.s. 53

51 ACS 5: Session Directory Report Reports details of RADIUS & TACACS sessions (Active, History and Lookup) Nazev skoleni a verze Copyright Alef Nula, a.s. 54

52 ACS 5.1: Alarm Types Authentication activity alarms Passed or failed authentications over a period of time Inactivity over a period of time Audit alarms Command accounting, command authorization (TACACS+) ACS configuration commands Health alarms ACS system process, metrics AAA throughput RADIUS traffic volume Nazev skoleni a verze Copyright Alef Nula, a.s. 55

53 ACS 5.1 Alarms Nazev skoleni a verze Copyright Alef Nula, a.s. 56

54 ACS 5.1: Troubleshooting Tools Authentication Query Displays used MAC addresses for any particular user and passed/failed authentication activity Authentication Failure Code Customization Administrator can customize ACS failure code root cause and resolution information Connectivity to ACS To test connectivity and download package.cab file from server Connectivity test ping / nslookup / traceroute commands Nazev skoleni a verze Copyright Alef Nula, a.s. 57

55 ACS 5.1: Troubleshooting Tools Nazev skoleni a verze Copyright Alef Nula, a.s. 58

56 ACS 5.1: Troubleshooting Tools Nazev skoleni a verze Copyright Alef Nula, a.s. 59

57 ACS 5.1: Troubleshooting Tools Nazev skoleni a verze Copyright Alef Nula, a.s. 60

58 ACS 5.1: Troubleshooting Tools Nazev skoleni a verze Copyright Alef Nula, a.s. 61

59 Contents Integration with Windows AD and LDAP Runtime system, HA Migration Not supported Licensing Platform option More Information Nazev skoleni a verze Copyright Alef Nula, a.s. 62

60 Improved integration with Windows AD and LDAP Ease to use AD group selection Directory attributes Nazev skoleni a verze Copyright Alef Nula, a.s. 63

61 Improved integration with Windows AD and LDAP Nazev skoleni a verze Copyright Alef Nula, a.s. 64

62 Improved integration with Windows AD and LDAP Nazev skoleni a verze Copyright Alef Nula, a.s. 65

63 Contents Integration with Windows AD and LDAP Runtime system, HA Distributed deployment Incremental replication Shell access Migration Not supported Licensing Platform option Nazev skoleni a verze Copyright Alef Nula, a.s. 66

64 Revised high-performance runtime system Linux based Optimized system Nazev skoleni a verze Copyright Alef Nula, a.s. 67

65 Revised high-performance runtime system Nazev skoleni a verze Copyright Alef Nula, a.s. 68

66 New platform architecture, distributed deployment HW or SW based High availability Primary/Secondary instance Full/Incremental replication Nazev skoleni a verze Copyright Alef Nula, a.s. 69

67 New platform architecture, distributed deployment Nazev skoleni a verze Copyright Alef Nula, a.s. 70

68 Incremental Replication ACS 4.X send complete copy to the secondary instance ACS 5.1: Any configuration changes are immediately replicated to the secondary instance INCREMENTAL, only the configuration changes made since the last replication are propagated to the secondary instance Nazev skoleni a verze Copyright Alef Nula, a.s. 71

69 Support for the Cisco identity solution features Cisco identity solutions Cisco TrustSec require that all network devices have an established identity, and must be authenticated and authorized before they start operating in the network Nazev skoleni a verze Copyright Alef Nula, a.s. 72

70 Shell access control Acces to console Config as router or switch Nazev skoleni a verze Copyright Alef Nula, a.s. 73

71 Contents Integration with Windows AD and LDAP Runtime system, HA Migration Not supported Licensing Platform option More Information Nazev skoleni a verze Copyright Alef Nula, a.s. 74

72 Migration and Upgrades ACS 5.1 includes a migration tool to assist in migrating existing ACS data The new ACS 5.0 policy model may require that some policies be reconfigured Customers not ready for migration to ACS 5.1 can run ACS 4.2 on the new 1120 appliance Purchase 5.1 on 1120 Contact ACS Product Marketing to get electronic access to ACS 4.2 software A sales order number will be required 4.2 on 1120 image is available since 2009 Nazev skoleni a verze Copyright Alef Nula, a.s. 75

73 Migration and Upgrades Migration from Cisco Secure ACS release 4.x to ACS 5.1 with Migration Utility Nazev skoleni a verze Copyright Alef Nula, a.s. 76

74 Migration and Upgrades Nazev skoleni a verze Copyright Alef Nula, a.s. 77

75 Contents Integration with Windows AD and LDAP Runtime system, HA Migration Not supported Licensing Platform option More Information Nazev skoleni a verze Copyright Alef Nula, a.s. 78

76 Not supported TACACS+ Proxy Terminal server access control Application access control for CiscoWorks CSUtil features Nazev skoleni a verze Copyright Alef Nula, a.s. 79

77 Contents Integration with Windows AD and LDAP Runtime system, HA Migration Not supported Licensing Base Add-On Other features Platform option Next releases Nazev skoleni a verze Copyright Alef Nula, a.s. 81

78 Licensing Base license (up to 500 managed devices) Add-on licenses Advanced Monitoring and Reporting license TrustSec Access Control License Large Deployment License Evaluation license Not-For-Resale license Nazev skoleni a verze Copyright Alef Nula, a.s. 82

79 Licensing Base licenses and add-on licenses Provided as Product Activation Keys (PAK) Must be registered on Cisco.com to obtain license file Customer evaluation (90-day) ACS 5.0 evaluation software is available at: Certified/Specialized Partner NFR Program and_promotions/index.html Nazev skoleni a verze Copyright Alef Nula, a.s. 83

80 Licensing Nazev skoleni a verze Copyright Alef Nula, a.s. 84

81 Base License Features Nazev skoleni a verze Copyright Alef Nula, a.s. 85

82 Advanced License Features Nazev skoleni a verze Copyright Alef Nula, a.s. 86

83 Other ACS 5.1 Features Enhanced external DB and policy server integration Reference external (AD, LDAP) policy information directly in access policy rules Use attributes in conditions or authorization results Retrieve real-time data from external policy servers Large-scale, distributed deployment model One primary and multiple secondary servers Incremental configuration replication Centralized software updates Nazev skoleni a verze Copyright Alef Nula, a.s. 87

84 Should I use ACS 5.1 or 4.2? ACS 5.1 supports many access scenarios, but not all ACS 4.2 features Additional ACS 5.x releases are planned for 2011 Nazev skoleni a verze Copyright Alef Nula, a.s. 88

85 Contents Migration Not supported Licensing Platform option Hardware VmWare Installation Status Config More Information Nazev skoleni a verze Copyright Alef Nula, a.s. 89

86 ACS 5.1 Platform Options Linux Appliance One rack-unit (1RU) securityhardened, Linux-based appliance VMWare version Software application and Linux operating system image for installation on VMware ESX 3.5/Server 2.0 Nazev skoleni a verze Copyright Alef Nula, a.s. 90

87 ACS 5.1 VMWare system requirements 1 CPU or more 2 GB RAM or greater Exactly 60 GB HDD 1 Network Interface Card 1 CD/DVD drive Nazev skoleni a verze Copyright Alef Nula, a.s. 91

88 ACS 5.1 VMWare system requirements Nazev skoleni a verze Copyright Alef Nula, a.s. 92

89 Instalation Input data for Instalation: localhost login: setup Enter hostname[]: acs-server-1 Enter IP address[]: Enter IP default netmask[]: Enter IP default gateway[]: Enter default DNS domain[]: mycompany.com Enter Primary nameserver[]: Add/Edit another nameserver? Y/N : n Enter username [admin]: admin Enter password: Enter password again: Pinging the primary nameserver... Do not use `Ctrl-C' from this point on... Appliance is configured Installing applications... Installing acs... Generating configuration... Rebooting... Nazev skoleni a verze Copyright Alef Nula, a.s. 93

90 Status check acs51/admin# sh application status acs ACS role: PRIMARY Process 'database' running Process 'management' running Process 'runtime' running Process 'adclient' running Process 'view-database' running Process 'view-jobmanager' running Process 'view-alertmanager' running Process 'view-collector' running Process 'view-logprocessor' running acs51/admin# Nazev skoleni a verze Copyright Alef Nula, a.s. 94

91 Status check Nazev skoleni a verze Copyright Alef Nula, a.s. 95

92 Config acs51/admin# sh run Generating configuration...! hostname acs51! ip domain-name alef0.sk! interface GigabitEthernet 0 ip address ! ip name-server ! ip default-gateway ! clock timezone Europe/Bratislava! ntp server ! username admin password hash $1$.cHgc4XL$6D/77Us9Bf0zBCVuQUiE91 role admin! service sshd! repository FTP1 url ftp:// /backup/ user cisco password hash 4d44fce7075d615df49497a39a35c2e87f repository TFTP1 url tftp:// ! password-policy lower-case-required upper-case-required digit-required no-username disable-cisco-passwords min-password-length 6! logging localhost logging loglevel 6! cdp timer 60 cdp holdtime 180 cdp run GigabitEthernet 0! icmp echo on! acs51/admin# Nazev skoleni a verze Copyright Alef Nula, a.s. 96

93 Contents Integration with Windows AD and LDAP Runtime system, HA Migration Not supported Licensing Platform option More Information Nazev skoleni a verze Copyright Alef Nula, a.s. 99

94 More Information ACS 5.1 home page ACS Resource Center (Internal Wiki) ACS 5.1 documentation es_home.html ACS 4.2 and 5.1 comparison _system/5.0/user/guide/migrate.html#wp Contact the ACS marketing team Nazev skoleni a verze Copyright Alef Nula, a.s

95 Ďakujem za pozornosť