Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved.

Cisco Secure ACS Overview By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com 2006 Cisco Systems, Inc. All rights reserved. 1

Cisco Secure Access Control System Policy Control and Integration ti Point for Network Access Enterprise network access control platform Remote Access (VPN) Wireless & Wired Access (LEAP, PEAP, EAP-FAST, 802.1x, etc) Administrative access control system for Cisco network devices (TACACS+) Auditing, compliance and accounting features Control point for access policy & application access integration Cisco Access Control System for management, Policy Decision Point (PDP) evaluation, reporting, and troubleshooting of access control policy 2

Consistent Policy Control and Compliance Key Scenarios Device Administration Remote Access Wireless and 802.1x Network Admission Control (NAC) ACS CiscoWorks AD / LDAP Compliance features Authentication policy (OTP, complex password ) Authorization enforcement (network access, device command authorization ) Audit logging Posture / Audit 3

ACS Network Access Control Point Who? Remote Users Home Office Road Warrior Campus User Guest User Laptop Device Cisco VPN Client Where? Provider Why? Some of the people some of the time All of the people all of the time Dial Access Cisco or CCX WLAN Client Web Auth Aironet AP ISP AAA VPN Concentrator RADIUS User Repository (LDAP, AD, OTP, ODBC) All machines All devices 802.1x Supplicant Cisco Trust Agent Posture Client Catalyst Switch Cisco Secure ACS External Policy and Audit Servers (HCAP, GAME) User, Machine, Posture CTS Device Posture Client IOS Router Enterprise NIC Controller (TRDP) 4

How is ACS used Our customers use ACS for: 1.Authentication and authorization (privileges) of remote users (traditional RADIUS) 2.Security of wired and wireless networks (EAP) 3.Administrators' access management to network devices and applications (TACACS+) 4.Security audit reports or account billing information Ships in two form factors: Software and Appliance ACS has been successful because it combines access security, authentication, user and administrator access, and policy control in a centralized identity framework 5

AAA Related Protocols RADIUS Remote Authentication Dial In User Service TACACS+ - Terminal Access Controller Access Control System TACACS+ is supported by the Cisco family of routers and access servers. This protocol is a completely new version of the TACACS protocol referenced by RFC 1492. 6

What is RADIUS? A protocol used to communicate between a network device and an authentication server or database. Allows the communication of login and authentication information. i.e.. Username/Password, OTP, etc. Allows the communication of arbitrary value pairs using Vendor Specific Attributes (VSAs). Can also act as a transport for EAP messages. RFC 2058 UDP Header RADIUS Header EAP Payload 7

How Cisco Secure ACS Operates Variety of Local or Authentication TACACS+ Variety of External Methods RADIUS Databases AAA Client (Network Access Server) Cisco Secure ACS AAA Client/Server -AAA Client defers authorization to centralized AAA server - Highly scalable - Uses standards-based protocols for AAA services 8

Some important points of Authentication The process of authentication is used to verify a claimed identity An identity is only useful as a pointer to an applicable policy and for accounting Without authorization or associated policies, authentication alone is pretty meaningless An authentication system is only as strong as the method of verification used 9

Network Access Control Model Device Access ACS LAN Wireless Request for Service Backend Authentication (Connectivity) Support 802.1x RADIUS Identity Store Integration Protocols and Mechanism Extensible Authentication Protocol (EAP-RFC 3748) IEEE 802.1x framework Use of RADIUS 10

How RADIUS is used here? RADIUS acts as the transport for EAP, from the authenticator ti t (switch) to the authentication ti ti server (RADIUS server) RFC for how RADIUS should support EAP between authenticator and authentication server RFC 3579 IP Header UDP Header RADIUS Header EAP Payload RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs IP Header UDP Header RADIUS Header EAP Payload Usage guideline for 802.1x authenticators use of RADIUS RFC 3580 AV Pairs 11

What s EAP? EAP The Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information not the authentication method itself. Rose out of need to reduce complexity of relationships between systems and increasing need for more elaborate and secure authentication methods Typically rides directly over data-link layers such as 802.1x or PPP media. Originally specified in RFC 2284, obsolete by RFC 3748 12

What does it do? Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloads A switch or access point becomes a conduit for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry EAP information Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges; EAP messages can be encapsulated in the packets of other protocols, such as 802.1x or RADIUS Three forms of EAP are specified in the standard EAP-MD5 MD5 hashed username/password EAP-OTP one-time passwords EAP-GTC token-card dimplementations ti requiring ii user input Ethernet t Header 802.1x Header EAP Payload 13

Current Prevalent Authentication Methods Challenge-response-based EAP-MD5: Uses MD5 based challenge-response for authentication LEAP: Uses username/password authentication EAP-MSCHAPv2: Uses username/password MSCHAPv2 challenge-response authentication Cryptographic-based EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication Tunneling methods PEAP: Protected EAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel much like web based SSL EAP-TTLS: Other EAP methods over an extended EAP-TLS encrypted tunnel EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment Other EAP-GTC: Generic token and OTP authentication 14

IEEE 802.1x 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports ACS - AAA Server 1 2 4 3 1 User activates link (ie: turns on the PC) 2 Switch requests authentication server if user is authorized to access LAN 3 Authentication server responds with authority access 4 Switch opens controlled port (if authorized) for user to access LAN 15

Features and Functions 16

Hardware/Software Platform ACS implements pe e identity management and AAA services CD-ROM version for any Windows 2003 server Appliance version delivered on hardened Win2003 OS Highly scalable (100,000+ 000+ users, thousands of RADIUS/TACACS+ devices) and feature-richrich 17

Features Unique to the ACS Appliance Security-hardened underlying OS. Port-based packet filtering, allowing connections only to the ports necessary for Cisco Secure ACS operation. Serial console interface for initial configuration, subsequent management of IP connections, Web interface, and application of upgrades and remote reboots. The serial console interface supports both serial line and Telnet connections. SNMP read-only support to monitor the appliance from external systems. Backup/restore of the Cisco Secure ACS data via FTP. Recovery procedures. Network Timing Protocol (NTP) support for maintaining network time consistency with other appliances or network devices. 18

ACS The Policy Based Network Controller ACS Versions in the field: ACS 4.0 SW (FCS 2004) -> main feature NAC Phase 2 ( L2 Posture Validation and external audit, service based policy)) ACS 4.1 SW (FCS 2006) -> main feature extended d logging support, new ACS administrator management, PEAP/EAP-TLS support, Japanese Microsoft Windows Support ACS 4.2 SW (FCS 2008) 19

Service Based Policy The administrator entirely controls the ACS behavior by configuring aggregated Service Based Policies: How to process an access request: do (not) authenticate / using which auth protocols / do (not) validate posture / which posture protocols Credential validation policies (i.e. which DB to use for auth) Classification: map identity to user-group, map posture credentials to posture-token token Authorization policies: map from user-group & posture-token to radius profile Different policies can be applied to different network access. Example: wireless access vs. remote (VPN) access policy 20

ACS Features Automatic service monitoring, database synchronization, and importing tools for large-scale deployments LDAP, ODBC and OTP (RSA, others) user authentication Flexible 802.1X authentication support, including EAP-TLS, Protected EAP (PEAP), Cisco LEAP, EAP-FAST, and EAP-MD5 Downloadable ACLs for any Layer 3 device, including routers, PIX firewalls, and VPNs (per user, per group) Network & machine access restrictions and filters Device command set authorization Detailed audit and accounting reports Dynamic quota generation User and device group profiles 21

Deployment Scenarios Cisco Secure ACS 22

Remote User Network Access Scenario Centralized Access Control Server Remote Access - VPN Provider ISP AAA Centralized Access Control Server ACS View Wireless User Wireless 802.1x EAP-TLS VPN Concentrator Aironet AP RADIUS User Repository (LDAP, AD, OTP, ODBC) Wired user Catalyst Switch Cisco Secure ACS LAN 802.1x EAP-FAST IOS Router Enterprise External Policy and Audit Servers (HCAP, GAME)

Device Administration Scenario Network Administrators FULL ACCESS Routers, Switches, APs West-APs Backbone PARTIAL READ ONLY East Security Perimeter T+ or RADIUS replication ACS Syslog, ACS or RA logging server SERVER ACCESS Unix DSMS SERVER ACCESS PBX Terminal Server System Access Secure auth mechanisms 24

GUI Interface/ Screen Shots 25

Cisco Secure ACS Accessing GUI Remote Administrator authentication page ( http://server-name/ip:2002 ) Administrator must be configured prior to remote login. If accessed on the local system (for example, using 127.0.0.1 as the IP address) this page is not displayed and the administrator gains access. 26

Cisco Secure ACS Home Page 27

NAP Network Access Profile 28

29