0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved....
Transcript of 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved....
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1
!"#$%"&' (")$*+, - ./0 #, ")#"-1 %"&12. 3%,4$561)451 )71#,%55 +%581#1#59 $1:#"&";52.
!"#$%&%' ("%)&#* +%+,-&*./ %*0-*-'-12*+3"4,#*,
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
52$-'0#*%- • <=>"% Cisco TrustSec • 01$1-,9 5(1#$5?54,759 • @-$"%5>,759 5 +%581#1#51 +"&5$54
• A1&")$#")$' 5 4"#?5(1#75,&'#")$' (,##B:
• C+%,-&1#51 TrustSec. CiscoWorks LMS 4.0
• <=>"% #"-B: -1%)52 %1D1#52 Cisco (&9 4"#$%"&9 )1$1-";" (")$*+, Cisco NAC, Cisco ACS, NAC Guest, NAC Profiler
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IP-4,81%, !"%+"%,$5-#B2 %1)*%) MAC: F5 AB 8B 65 00 D4 E"*$=*4
!"%+"%,$5-#B2 %1)*%) .,="%,$"%59 11 *$%,
F,%59 05("%"-, 0"$%*(#54 HR 3%"-"(#"2 (")$*+ 11-00
3%5#$1% E14"%+"%,$5-#B2 ,4$5- MAC: B2 CF 81 A4 02 D7
IP $1&1?"# G/W !"%+"%,$5-#B2 ,4$5- G5#,#)"-B2 (1+,%$,81#$ 11:00 -161%,
01%;12 H,&,>"- 4"#$%,4$#54 IT 3%"-"(#"1 +"(4&I61#51 10 *$%,
@##, 31$%"-, )"$%*(#54 CEO C(,&1##B2 (")$*+ 10 -161%,
!,$9 J*4"-)4,9 )"$%*(#54 R&D WiFi 14:00 (#9
@#$"# @&8,>"- 4"#)*&'$,#$ A1#$%,&'#B2 "?5) C(,&1##B2 (")$*+ 6:00 -161%,
/54$"%59 !,$1%#I4 0"$%*(#54 3%"-"(#"2 (")$*+ 15-00
!"#?5(1#75,&'#B1 %1)*%)B 01$', *)$%"2)$-, 5 3%5&"K1#59
F#"K1)$-" 81$"("- (")$*+, L,>#B1 *)$%"2)$-,, %,>#B1 81)$,
!+- *-2)62$%&2 12*,'2"%'27#,4
5-82$*9: :%*#&%;-+1#9 +'-$# $2+,3<#
3"&'>"-,$1&5 5 *)$%"2)$-, 0"$%*(#545, !"#$%,4$#545, M1&1?"#B, 3%5#$1%BN
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!#0*2+,4 <2"%,%1%
=#>%,# +'-$. 12&&3*%1#?%/
/ *)&"-59: %,>8B$59 ;%,#57 )1$5 #1"=:"(58" 4"#$%"&5%"-,$' (")$*+ 4 %1)*%),8
@)-+<-;-*%- +22,7-,+,7%9 0""$-1$)$-51 )$%";58 4"%+"%,$5-#B8, ;")*(,%)$-1##B8 5 %1;*&9$"%#B8 $%1="-,#598
A7-"%;-*%- )-B2<#+*2+,% <=1)+161#51 )""$-1$)$-59 +"&5$541 (&9 +"&'>"-,$1&12 5 *)$%"2)$- -,K#" (&9 OH
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco TrustSec
TrustSec - >"#$56#,9 ,%:5$14$*%, (&9 *-1&561#59 =1>"+,)#")$5 4,8+*)#"2 )1$5 5 (,$,71#$%,. 3"8";,1$ 4"8+,#598 >,P5$5$' )1$', (,##B1 5 %1)*%)B ) +"8"P'I: • $1:#"&";52 )1$1-"2 5(1#$5?54,755 • $1:#"&";52 4"#$%"&9 (")$*+, #, ")#"-1 +"&5$54 5 +"&'>"-,$1&')45: %"&12
• ("+"$1&'#B1 )1%-5)B (&9 >,P5$B (")$*+, 5 )%1(B +1%1(,65
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C"D;-7.- E3*1?%% Cisco TrustSec
C2*,'2"4 $2+,3<# *# 2+*27- <2"%,%1
! 3")$"9#)$-" +"&5$54 (&9 +"&'>"-,$1&12 5 *)$%"2)$-
! !"#$%"&' (")$*+, #, ")#"-1 +"&'>"-,$1&')45: %"&12 ( RBAC)
! L,)+%1(1&1##"1 -#1(%1#51
! E1>,-5)58B2 "$ )1$1-"2 $"+"&";55 4"#$%"&' (")$*+, ) +"8"P'I Security Group Access Control (SGAC)
5-,-7#9 %$-*,%E%1#?%9
! !"#$%"&' ")#"-,##B2 #, 5(1#$5?54,75"##"2 5#?"%8,755 5 ,$%5=*$,: (-%189, 81)$", 81$"( (")$*+,)
! 3"((1%K4, Cisco Medianet 5 QoS (&9 +%5&"K1#52 ,))"755%"-,##B: ) +"&'>"-,$1&')4585 %"&985
:2<2"*%,-"4*.- +-'7%+.
! Q")$1-"2 (")$*+ ! <71#4, )")$"9#59 *)$%"2)$- 5 5: )""$-1$)$-59 +"&5$541 =1>"+,)#")$5
! 3%"?5&5%"-,#51 *)$%"2)$- =1> ,;1#$"-
! R5?%"-,#51 4,#,&, (,##B: #, =,>1 )$,#(,%$, IEEE 802.1AE
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
S"+"$1&'#B1 )1%-5)B
@-$"%5>,759
O(1#$5?54,759 @*$1#$5?54,759
ACL
802.1X 802.1X
802.1X-REV MAB WebAuth
F2"%,%1#
VLAN
O#$1;%,759 ) UC
G'6%,-1,3'# Cisco TrustSec. 5-,-7.- +"30). %$-*,%E%1#?% (IBNS) )
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
S"+"$1&'#B1 )1%-5)B
@-$"%5>,759
O(1#$5?54,759 @*$1#$5?54,759
ACL
<71#4, )")$"9#59 *)$%"2)$-,
NAC (In-band,
Out-of-band) MAB WebAuth
F2"%,%1#
3%"?5&5%"--,#51
*)$%"2)$-
VLAN
Q")$1-"2 (")$*+
G'6%,-1,3'# Cisco TrustSec. C2*,'2"4 $2+,3<# 7 +-,4 (NAC) )
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
S"+"$1&'#B1 )1%-5)B
@-$"%5>,759
O(1#$5?54,759 @*$1#$5?54,759
ACL
802.1X
<71#4, )")$"9#59 *)$%"2)$-,
NAC (In-band,
Out-of-band)
802.1X 802.1X-REV MAB WebAuth
F2"%,%1#
Security Group Tagging
3%"?5&5%"--,#51
*)$%"2)$-
VLAN
MACSec O#$1;%,759 ) UC
Q")$1-"2 (")$*+
G'6%,-1,3'# Cisco TrustSec. )
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco TrustSec: C2*,'2"4 +-,-7282 $2+,3<# *# 2+*27- 802.1X
Q")$1-B1 +"&'>"-,$1&5
01$1-B1 *)$%"2)$-,
NAC Guest
NAC Profiler
ACS
802.1X
T,P5P,18B1 %1)*%)B
H!5
IP M1&1?"#B
3%"$"4"& *+%,-&1#59: RADIUS
!"#$%"&&1% H./0
0,+&54,#$
!,$,&"; +"&'>"-,$1&12
!"88*$,$"%B Cisco® Catalyst®
3"&'>"-,$1&5, :")$B
!"88*$,$"% Nexus® 7000
Web
MAC
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco TrustSec: C2*,'2"4 +-,-7282 $2+,3<# *# 2+*27- NAC Appliance
Q")$1-B1 +"&'>"-,$1&5
T,P5P,18B1 %1)*%)B
H!5 IP M1&1?"#B NAC Manager
NAC Server
3%"$"4"& *+%,-&1#59: SNMP
!"#$%"&&1% H./0
NAC Agent
NAC Guest
NAC Profiler
!,$,&"; +"&'>"-,$1&12
!"88*$,$"%B Cisco® Catalyst®
01$1-B1 *)$%"2)$-,
3"&'>"-,$1&5, :")$B
Web
MAC
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5'#7*-*%- 802.1X % NAC Appliance I-J-*%- Cisco *# 2+*27- 802.1X
I-J-*%- *# 2+*27- NAC Appliance
M%1=*1$)9 &5 ,;1#$ 5&5 ),+&54,#$?
S,, (&9 802.1X. E1$, (&9 Web ,*$1#$5?54,755
S,, (&9 "71#45 )")$"9#59. E1$, (&9 Web ,*$1#$5?54,755
O(1#$5?54,759/@-$"%5>,759 S, S,
!"#$%"&' )""$-1$)$-59 *)$%"2)$- +"&5$541
E1$ S,
<$%,)&1-"2 )$,#(,%$ S, E1$
3"((1%K4, (&9 *)$%"2)$- =1> 802.1X
S, ( MAB) S,
3"((1%K4, *)$%"2)$- =1> ,;1#$"-
S,: NAC Profiler S,: NAC Profiler
3"((1%K4, 8,D5##"2 ,*$1#$5?54,755
S, E1$
3"((1%K4, ;")$1-";" (")$*+, S, S,
3%"$"4"& *+%,-&1#59 RADIUS SNMP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
01$1-,9 5(1#$5?54,759
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5-,-7#9 %$-*,%E%1#?%9 *# 2+*27- Cisco 802.1X (Identity-Based Networking Services - IBNS)
! @*$1#$5?54,759 IEEE802.1X (&9 +"&'>"-,$1&12 5 *)$%"2)$-
<)#"-,##,9 #, )$,#(,%$,:, ,*$1#$5?54,759 #, -$"%"8 *%"-#1 #, +"%$* (&9 +"&'>"-,$1&12 5 *)$%"2)$-
! <=:"( ,*$1#$5?54,755 +" MAC-,(%1),8 (MAB) C)$%"2)$-, =1> 802.1X 8";*$ =B$' ,*$1#$5?575%"-,#B 5)+"&'>*9 MAB (MAC authentication bypass)
! WEB ,*$1#$5?54,759 Q")$1-B1 +"&'>"-,$1&5 8";*$ 5)+"&'>"-,$' ,*$1#$5?54,75I 61%1> web +"%$,& (&9 -%181##";" (")$*+, - )1$'
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5-,-72/ <2', + 802.1X
!.8"9$%, ,#1 0- 1#1 % )-B 802.16
?
SWITCHPORT
F2+"- #3,-*,%E%1#?%% ! 3"-BD,1$)9 *%"-1#' =1>"+,)#")$5 ! E,)$%"24, +"%$, (VLAN, ACL, QoS) ! G,4$ (")$*+, >,?54)5%"-,#
@*$1#$5?575%"-,##B2 +"&'>"-,$1&'
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco TrustSec Flexible Authentication
Q5=4,9 ,*$1#$5?54,759 +">-"&91$: ! O)+"&'>"-,$' $%5 %,>&56#B: 81$"(, ,*$1#$5?54,755:
802.1X (&9 *)$%"2)$- ) ),+&54,#$,85
MAC Authentication Bypass (MAB) Web Authentication (O89/+,%"&')
E,)$%"24, #, +"%$ / &I="2 4"8=5#,755 / &I="8 +"%9(41
! U$" *81#'D,1$ )1$1-B: OpEx : – 3"((1%K4, 4"%+"%,$5-#B: +"&'>"-,$1&12, *)$%"2)$- 5 ;")$1-B: +"&'>"-,$1&12 #, "(#"8 +"%$* – 3"&'>"-,$1&5/*)$%"2)$-, 8";*$ )-"="(#" +1%181P,$')9 - )1$5 =1> +1%1#,)$%"245 "="%*("-,#59
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C#1 '#)2,#-, Flexible Authentication
802.1X MAB Web Auth
S")$*+#B1 81$"(B #, +"%$*
802.1X MAB Web Auth
3"%9("4 +" *8"&6,#5I @*$1#$5?54,759 )"$%*(#54,
802.1X MAB Web Auth
C)$%"2)$-, =1> ),+&54,#$,, V,)$56#B2 (")$*+ (" 802.1x ,*$1#$5?54,755, VIP
MAB Web Auth /1=-,*$1#$5?54,759
3"%9("4 81$"("- 3%5"%5$1$ 81$"("- S12)$-59 - )&*6,1 #1*(,65
1.
2.
3.
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
SWITCHPORT
VM
802.1X Multi-Authentication
K-+12"412 MAC *# <2',3 !"#$%"&' ) 5)+"&'>"-,#518 MAC (&9 4,K(";" *)$%"2)$-,: ! 802.1X 5&5 MAB
E1>,-5)58B2 4"#$%"&' (")$*+, #, +"%$* (&9 4,K(";" MAC ) +"8"P'I >,;%*K,18";" ACL (dACL)
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Hubs 3rd Party IP Phones
Legacy Cisco IP Phones
3%"81K*$"6#"1 *)$%"2)$-" +")1%1(5#1
PC Movement
F'2&-03,2;*.- +-,-7.- 3+,'2/+,7#
Identity Enabled Networks
• 3%"=&18"2 )1$1-"2 ,*$1#$5?54,755 9-&91$)9 "$)*$)$-51 5#?"%8,755 " )")$"9#55 *)$%"2)$-, +"(4&I61##";" - +"%$ 4"88*$,$"%, #1 #,+%98*I, , 61%1> #1*+%,-&918B2 4"88*$,$"%/:,=, $1&1?"##B2 ,++,%,$
• FB #1 8"K18 >,?54)5%"-,$' ?,4$ "$4&I61#59 *)$%"2)$-,
• /">8"K#")$' +1%181P1#59 $,45: *)$%"2)$- 81K(* +"%$,85 4"88*$,$"%, 5&5 -">8"K#")$' )+*?5#;, ,*$1#$5?575%"-,##";" *)$%"2)$-, )">(,1$ *;%">* =1>"+,)#")$5
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
=#>%,# 2, <2$$-"4*.6 +-,-7.6 3+,'2/+,7: Network Edge Access Topology (NEAT)
1. L,)D5%91$ ("-1%51 #, 4"#?1%1#7 4"8#,$B, :"&&B 5 =&12(-)5)$18B
2. S1&,1$ =1>"+,)#B8 4"#$%"&' *)$%"2)$- - "=P1(")$*+#B: 81)$,:
Authorized Remove MAC per
notifications
Port Status
Authorized Only Allow MAC of
Auth’d Host
!"#"$% &'("# Authorized
)*+,-./001/ MAC (#2(/3/01
Port Status Authorized
MAC 4'55$"#"'(# (#2(/3/0
!"#"$% &'("#
Wall Jack in Conf Room
Wiring Closet Switch
6$"/0"7874#7, 4'55$"#"'(#
!"#"$% &'("#
Un-Authorized
Machine Auth
!"#"$% &'("#
Un- Authorized
)*+,-./07/ MAC #$"/0". 9'%"#
:;#./07/ MAC &' "#<5'$"$ 7.7 '"4.=>/07= .704#
• )"4.=>/07/ • Power down • Or Logoff
?'5"01< 4'55$"#"'(
AAA
Campus LAN
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IP-,-"-E2*%9. Multidomain Authentication (MDA)
1. MDA %,>(1&91$ ,*$1#$5?54,75"##B2 ("81# (&9 (,##B: (3!) 5 ;"&"), (IP $1&1?"#)
2. MDA +"((1%K5-,1$ 802.1X 5&5 MAB (&9 "="5: ("81#"- ,*$1#$5?54,755, (&9 ;"&"), 5 (,##B:
3. 3"((1%K5-,1$ 4,4 Cisco IP $1&1?"#B, $,4 5 )$"%"##51 IP $1&1?"#B
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Voice
Data
S-, ("81#, #, +"%$
802.1q
M1&1?"#B ,*$1#$5?575%*I$)9 - ;"&")"-"8 ("81#1, M1;5%*I$ $%,?54 - ;"&")"-"8 VLAN
3! ,*$1#$5?575%*1$)9 - ("81#1 (,##B:, E1$1;5%"-,##B2 $%,?54 - VLAN (&9 (,##B:
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
I-J-*%- 802.1X + IP-,-"-E2*%9 C2*,'2"4 <2',#: L'% '-J-*%9
22
EAPoL-Logoff
L,="$,1$ $"&'4" ) 802.1X *)$%"2)$-,85 5
"+%1(1&1##B85 $1&1?"#,85*
01))59 "=#*&91$)9 )%,>* +")B&4"2 EAPoL-Logoff
PC-A @,1"D;#-,+9
PC-B F2$1"D;#-,+9 Dot1x Logon
Required
Proxy EAPoL-Logoff
802.1x/MAB Inactivity Timeout
E14"$"%B8 *)$%"2)$-,8 8"K1$ +"#,("=5$')9 +"-$"%#,9
,*$1#$5?54,759
W)$' -">8"K#")$' +"(4&I61#59 (" 5)$161#59 $,281%, 5 "65)$45
)1))55 PC-A @,1"D;#-,+9
PC-B F2$1"D;#-,+9 Auth
Required
SSCA
CDP 2nd Port Notification CDP Link Down
PC-A @,1"D;#-,+9
PC-B F2$1"D;#-,+9 Auth
Required
SSCA
01))59 "=#*&91$)9 )%,>* +")B&4"2 CDP Link Down
" I#)2,#-, + MAB, 802.1X, % Webauth.
" K- ,'-)3-, *#+,'2/1%
SSCA SSCB
SSCB
SSCB
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!*-$'-*%- TrustSec % IP Telephony: "3;J%- <'#1,%1%
3rd Gen phone • X.509 cert support • firmware 8.5(2)
Catalyst switch • 12.2(50)SE3 (2k, 3k) • 12.2(52)SG (4k) • 12.2(33)SXI (6K)
ACS version 5.x CUCM 7.1.2 7 -13/
EAP-TLS CDP 2nd Port
802.1X with MDA CDP 2nd Port Monitor/Low Impact “Touchless” EAP-
TLS Remote 802.1X Enable
Cisco TrustSec +%1(")$,-&91$ #,5="&11 +"&#*I )"-81)$58")$' IP $1&1?"#"- ) 802.1: - 5#(*)$%55:
# Cisco IP $1&1?"#B 581I$ -)$%"1##B2 ),+&54,#$, +"((1%K5-,IP52 EAP-MD5, EAP-FAST 5 EAP-TLS 5 +%1(5#)$,&&5%"-,##B1 75?%"-B1 )1%$5?54,$B (MIC), 4"$"%B1 8"K#" 5)+"&'>"-,$' (&9 802.1x 5(1#$5?54,755
# 802.1x 8"K1$ ,4$5-5%"-,$')9 #, $1&1?"##"8 ,++,%,$1 71#$%,&5>"-,#" ) +"8"P'I CUCM -1%)55 7.1.2 5 -BD1
# 3%"$1)$5%"-,##B2 )71#,%52 “=1>4"#$,4$#"2” #,)$%"245 802.1x ) $1&1?"#512 "+5),# #, cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
@-$"%5>,759 5 +%581#1#51 +"&5$545 - )1$5
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
I#B"%;*.- &-6#*%B&. #7,2'%B#?%%
! TrustSec +%1(")$,-&91$ %,>&56#B1 81:,#5>8B ,-$"%5>,755 (&9 "=1)+161#59 +"&5$545
! M%5 ")#"-#B: 81:,#5>8, %,>;%,#561#51 (")$*+,: 3%5)-"1#51 VLAN – Ingress 3%5)-"1#51 dACL – Ingress O)+"&'>"-,#51 Security Group ACL (SGACL) – Egress
! M%5 %,>#B1 8"(1&5 -#1(%1#59 %,>;%,#561#59 (")$*+,: <$4%B$B2 %1K58 (Monitor Mode) <;%,#561##B2 %1K58 (Low Impact Mode) H1>"+,)#B2 %1K58 (High-Security Mode)
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
K#B*#;-*%- VLAN – <"D+. % &%*3+.
+ 0,8B2 +%")$"2 )+")"= )1;81#$,755 $%,?54,
+ H"&'D5#)$-" -1#("%"- +"((1%K5-,I$ (5#,8561)4"1 +%5)-"1#51 ,(%1)"- (RFC3580)
- E1"=:"(58" )">(,-,$' #"-B1 VLAN
- E"-B2 VLAN = E"-,9 IP-+"()1$'
- S5#,8561)4"1 5>81#1#51 VLAN ">#,6,1$ (5#,8561)4"1 5>81#1#51 ,(%1),
- C+%,-&1#51 8#"K1)$-"8 ACL #, 4,K("8 L3 5#$1%?12)1 )&"K#" (&9 ="&'D5: )1$12
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
=#8'30#-&.- ACL - <"D+. % &%*3+.
+ ACLs *+%,-&9I$)9 71#$%,&5>"-,#" 5 +%581#9I$)9 (&9 (,##";" IP-,(%1), 5)$"6#54, (+"&'>"-,$1&')4";" *)$%"2)$-,) + E1 #*K#" *4,>B-,$' ,(%1) *)$%"2)$-, - ACL + .*6D1 8,)D$,=5%*I$)9 618 per-user ACL (="&'D1 ACEs - RADIUS VSA) + S&9 #14"$"%B: )1%-5)"- ($,45: 4,4 PXE Boot 5&5 Wake-On-LAN) -">8"K#" "$4%B-,$' (")$*+ 1P1 (" +%":"K(1#59 ,*$1#$5?54,755 ) +"8"P'I 5#$1%?12)#";" ACL - O>81#1#59 ,(%1), +"&*6,$1&9 (Destination IP) #*K#" "$%,K,$' -" -)1: ACE - /">8"K#" +1%1+"#51 ,++,%,$#B: %1)*%)"- 4"88*$,$"%, - )&*6,1 ="&'D";" 4"&561)$-, )$%"614 +%,-5& ?5&'$%,755 ACE
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M2$-"% '-#"%B#?%% <2"%,%1%
! M%,(575"##B2 %1K58 -#1(%1#59 802.1x ()-B2<#+*./ '-0%&) +%1(+"&,;,1$ "$)*$)$-51 (")$*+, - )1$' (" ,*$1#$5?54,755.
! 3")&1 ,*$1#$5?54,755 (")$*+ - )1$' "$4%B-,1$)9 5 +%"5):"(5$ #,>#,61#51 VLAN 5 5&5 >,;%*>4, ACL("+75"#,&'#")
! 3"&#"1 "$)*$)$-51 )1$1-";" (")$*+, (" ,*$1#$5?54,755 5&5 +")&1 #1*)+1D#"2 ,*$1#$5?54,755 #1;,$5-#" -&591$ #, %,="$* )1%-5)"-:
• DHCP, ->,58"(12)$-51 OS (KRB5, LDAP, DNS, ;%*++"-B1 +"&5$545 AD (Group Policy Object), +%"$"4"& PXE (&9 >,;%*>45 <0, WoL (&9 *+%,-&1#59 3< 5 +,$6,85
• E1K1&,$1&'#"1 9-&1#51 #, X$,+1 -#1(%1#59
<;%,#561##B2 %1K58
H1>"+,)#B2 %1K58
I-0%&. '-#"%B#?%% TrustSec <2&28#D, <'-$2,7'#,%,4 <'2)"-&. 7*-$'-*%9 802.1X
<$4%B$B2 %1K58
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!"#$ RADIUS %&'(")*+,-./* 01203' (+003': ! 4)%'503'/0'1)%'503' +1*'0*$6$7+8$$
802.1X/EAP – 9%$)"7 ,+-$(03: 802.1x 7-$'0*", – 9%$)"7 0' ,+-$(03: 802.1x 7-$'0*",
! 4)%'503'/0'1)%'503' +1*'0*$6$7+8$$ MAB – 9%$)"7 ,+-$(03: MAC", – 9%$)"7 0' ,+-$(03: MAC",
802.1X/MAB – Open Mode
3<LM
Open Mode ()-B 28'#*%;-*%/)
! /1)' $%,?54 %,>%1D1# ! @*$1#$5?54,759 +"-+%1K#18* %,="$,1$
! 3"((1%K5-,1$)9 (&9 802.1X 5 MAB
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
<)$,&'#"2 $%,?54 =&"45%*1$)9 (" *)+1D#"2 ,*$1#$5?54,755 802.1X,
MAB, 5&5 Web ,*$1#$5?54,755
ACL "$4%B-,1$ #1"=:"(58B1 TCP/UDP
+"%$B
!.)2'2;*2 2,1'.,./ $2+,3<
! Open Mode +&I) %,>%1D1#59 ACL +" *8"&6,#5I
– E, "+%1(1&1##B1 TCP/UDP +"%$B
– E, "+%1(1&1##B1 ,(%1),
!#'%#*, 12*,'2"9 2. @8'#*%;-**./ '-0%& C2*,'2"4 $2+,3<# + ACL
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!#'%#*, 12*,'2"9 2. @8'#*%;-**./ '-0%& C2*,'2"4 $2+,3<# + ACL
3<LM
F2+"- #3,-*,%E%1#?%% ! T,;%*K,18B1 dACL +1%1+5)B-,I$ )*P1)$-*IP52 ACL #, +"%$*
! 3%1(")$,-&91$ +"&#B2 (5&5 ";%,#561##B2) (")$*+
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C2*,'2"4 $2+,3<# *# 762$-
802.1X/MAB/Web Auth
K#B*#;-*%- VLAN / VRF
=#8'3B1# dACL
• F";* &5 9 )">(,-,$' 5 *+%,-&9$' VLANs 5 IP ,(%1)#B8 +*&"8? • !,4 "=%,=,$B-,1$)9 "=#"-&1#51 DHCP - #"-"2 )1$5 ? • !,458 "=%,>"8 9 *+%,-&9I ACLs #, VLAN 5#$1%?12)1? • L,="$,I$ &5 $,451 +%"$"4"&B 4,4 PXE 5&5 WOL ) #,>#,61#518
VLAN? • /&59#51 #, )*88,%5>,75I 8,%D%*$"-?
• !$" =*(1$ "=)&*K5-,$' ACL? • V$" 1)&5 8"5 IP ,(%1), #,>#,61#59 5>81#9$)9? • F"2 4"88*$,$"% 5811$ (")$,$"6#" +,89$5 TCAM (&9 "=%,="$45 -)1: >,+%")"-?
M%,(575"##B1 81$"(B 4"#$%"&9 (")$*+, 581I$ #14"$"%B1 +%"=&18B +%5 -#1(%1#55:
– M%1=*1$)9 (1$,&'#B2 (5>,2# +1%1( -#1(%1#518, 5#,61N
– E1 #,)$"&'4" ;5=451 4,4 $%1=*1$)9 (&9 =5>#1),
– !"#$%"&' (")$*+, 8"K1$ +"$%1="-,$' %1(5>,2#, -)12 )1$5
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C2*,'2"4 $2+,3<# *# 7.62$- + %+<2"4B27#*%-& 8'3<< )-B2<#+*2+,% Security Group
!"#$%"&' (")$*+, ")#"-,##B2 #, Q%*++,: H1>"+,)#")$5 +">-"&91$ >,4,>654,8:
– 0":%,#9$' )*P1)$-*IP52 &";561)452 (5>,2# #, *%"-#1 (")$*+,
– O>81#9$' / +%581#9$' +"&5$54* (&9 )""$-1$)$-59 $14*P58 =5>#1)-$%1="-,#5985
– L,)+%1(1&9$' +"&5$54* ) 71#$%,&'#";" )1%-1%, *+%,-&1#59
SGACL
802.1X/MAB/Web Auth.
N%*#*+.(SGT=4)
C#$'.(SGT=10)
O 12*,'#1,2' M29 8'3<<# (L
C2*,'#1,2' & (L
SGT = 100
SGT = 100
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'%&-*-*%- SGT % SGACL ! A*%1#"4*#9 &-,1# 16 bit (65K) +%5)-,5-,1$)9 1#0$2/ '2"%
! 3%1()$,-&91$ <'%7%"-8%% <2"4B27#,-"9, 3+,'2/+,7# %"% +3)P-1,#
! L-8%'27#*%- *# 762$- - ("81# TrustSec
SGACL SG
Security Group
Tag
! N%"4,'#?%9 <2 &-,1#& (SGACL) *# 7.62$- %B $2&-*# TrustSec ("=B6#" - A<S1)
! F'#7%"# )-B IP-#$'-+27 (IP ,(%1) +%5-9>,# 4 81$41)
! 3"&5$54, (ACL) is '#+<'-$-"9-,+9 2, ?-*,'#"4*282 +-'7-'# <2"%,%1 (ACS) 5&5 #,)$%,5-,1$)9 &"4,&'#" #, *)$%"2)$-1 TrustSec
! <=1)+165-,1$ +"&5$545 #1>,-5)58B1 "$ $"+"&";55
! Q5=451 5 8,)D$,=5%*18B1 +"&5$545 ")#"-,##B1 #, %"&5 +"&'>"-,$1&9
! Q-*,'#"%B27#**2- 3<'#7"-*%- <2"%,%1#&% (&9 (5#,8561)4";" -#1(%1#59 +%,-5&
! O):"(9P,9 ?5&'$%,759 -1(1$ 4 *81#'D1#5I #,;%*>45 *# TCAM
F'-%&3>-+,7#
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5?-*#'%/: +-,4 &-$%?%*+1282 3;'-0$-*%9
F2"4B27#,-"% 5-'7-'# Security Group
((+,2;*%1) Security Group (K#B*#;-*%-)
Doctor (SGT 7)
Staff (SGT 11)
Guest (SGT 15)
IT Admin (SGT 5)
SGACL
Medical DB (SGT 10)
Internal Portal (SGT 9)
Public Portal (SGT 8)
IT Portal (SGT 4)
100 x
5 x
145 x
150 x
x 15
x 5
x 5
x 5
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M#,'%?# <2"%,%1 SGACL C#1 SGACL 3<'2>#D, 12*,'2"4 $2+,3<#
S"4$"%, (SGT 7)
IT ,(85#B (SGT 5)
IT Portal (SGT 4)
Public Portal (SGT 8)
Internal Portal (SGT 9)
Patient Record DB (SGT 10)
F1$4, #,>#,61#59
F1$4, 5)$"6#54,
Web Web No Access Web File Share
Web SSH RDP
File Share
Web SSH RDP
File Share
Full Access SSH RDP
File Share
permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 445 deny ip
IT Maintenance ACL
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
REE-1,%7*2+,4 SGACL 7 '-#"4*.6 3+"27%96 400 +"&'>"-,$1&12 +"&*6,I$ (")$*+ 4 30 )1$1-B8 %1)*%),8 ) 4 $5+,85 +"&#"8"652 (&9 4,K(";" %1)*%), M%,(575"##B2 ACL #, FW =1> ?5&'$%,755 5)$"6#54,
Any (src) * 30 (dst) * 4 permission = 120 ACEs
M%,(575"##B2 ACL #, 5#$1%?12)1 VLAN – 5)+"&'>*9 ?5&'$%,75I +" +"()1$98 5)$"6#54, $%,?54,
4 VLANs (src) * 30 (dst) * 4 permission = 480 ACEs
0 $1:#"&";512 SGACL 4 SGT (src) * 4 SGT (dst) * 4 permission = 64 ACEs
G5&'$%,759 #, +"%$* ) +"8"P'I Downloadable ACL
1 Group (src) * 30 (dst) * 4 permission = 120 ACEs
400 (src) * 30 (dst) * 4 permission = 48 000 ACEs
M%,(575"##B2 ACL #, FW ) ?5&'$%,7512 +" 5)$"6#54*
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Security Group based Access Control C#1 S,2 '#)2,#-,
IT Portal (SGT 4)
Agent-less Device
Active Directory
Catalyst® 3750-X
3"&'>"-,$1&5, *)$%"2)$-,
Campus Network
Nexus® 7000 Nexus® 7000
SXP
Catalyst® 4948 ACS v5.2 802.1X
MAB
LWA
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10) Doctor (SGT 7) IT Admin (SGT 5)
VLAN100
VLAN200
E1$1;5%"-,##B1 ?%128B
M1;5%"-,##B1 ?%128B
SGT=7
1
2 3
4 5
1. C)$%"2)$-" +"(4&I6,1$)9 4 )1$5 2. !"88*$,$"% (")$*+, ,*$1#$5?575%*1$ +"&'>"-,$1&9 5 +%5)-,5-,1$ 81$4* SGT 3. SXP +1%1(,1$ $,=&57B IP-to-SGT #, N7K 4. C)$%"2)$-" ) +"((1%K4"2 SGT (N7K) +%5#58,1$ +,41$B 5 *)$,#,-&5-,1$ SGT 5. C)$%"2)$-" ) +"((1%K4"2 SGT (N7K) ?5&'$%*1$ +,41$B, ")#"-B-,9c' #, SGT
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
A1&")$#")$' 5 4"#?5(1#75,&'#")$' (,##B:
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 40 40
&^*RTW#(*J^*&*sd#J$%UJ&(
C2*E%$-*?%#"4*2+,4 % ?-"2+,*2+,4 T-B2<#+*2+,4 <3,% <-'-$#;% $#**.6 + MACSec
• <=1)+165-,1$ D5?%"-,#51“X4-5-,&1#$ WLAN / VPN” (128bit AES GCM) (&9 LAN +"(4&I61#52
• R5?%"-,#51 #, ")#"-1 )$,#(,%$, (IEEE802.1AE) + *+%,-&1#51 4&I6,85 +" )$,#(,%$* (IEEE802.1X-2010/MKA)
• 3">-"&91$ +%"-"(5$' ,*(5$ 5 "=1)+165-,$' )1%-5)B =1>"+,)#")$5
Media Access Control Security (MACSec) 5&5 LinkSec
802.1X
0,++&54,#$ ) MACSec
Q")$'
CC)$%"2)$-, ) +"((1%K4"2
MACSec
&^*RTW#(*J^*&*sd#J$%UJWD&(
S,##B1 +1%1)B&,I$)9 "$4%B$"
MACSec 4,#,&
T,D5?%"-,$' L,>D5?%"-,$' @*$1#$5?575%"-,##B2 +"&'>"-,$1&'
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 41 41
L-13>#9 <2$$-'01# MACSec MACSec #, *%"-#1 (")$*+,
! Catalyst® 3750X/3560X (4&51#$)451 +"%$B)
! M%1=*1$)9 Cisco IOS® 12.2 (53)SE2
! 802.1X-REV (MKA) (&9 *+%,-&1#59 4&I6,85 – T,816,#51: / #,)$"9P11 -%189 MACSec #1 +"((1%K5-,1$)9 #, ,+&5#4,: Cat3750-X
MACSec (&9 5#?%,)$%*4$*%B ! Nexus® 7000 )1%59 DC-4"88*$,$"%"-
! 3"((1%K4, &5#12#B: 4,%$ 1GbE/10GbE
! M%1=*1$)9 NX-OS 5.0(2)a
! SAP (Cisco Protocol) (&9 *+%,-&1#59 4&I6,85
T,816,#51: SAP + MKA $%1=*I$ ACS -1%)55 5.1 5&5 ="&11 +">(#12. SAP 5811$ "+75I )$,$561)4"2 #,)$%"245 4&I612 #, 5#$1%?12)1 Nexus 7000. / #,)$"9P11 -%189 , MACSec/MKA +"((1%K5-,1$)9 $"&'4" #, *%"-#1 (")$*+,, 5 MACSec/SAP +"((1%K5-,1$)9 (&9 5#?%,)$%*4$*%#B: >,(,6. / =*(*P18 +"((1%K4, MACSec/MKA ()$,#(,%$,) =*(1$ "=1)+165-,$')9 -1>(1.
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 42 42
AnyConnect 3.0 $"9 MACSec
AnyConnect 3.0 "=1)+165-,1$ ! C#5?575"-,##B2 5#$1%?12) (")$*+, (&9 SSL-VPN, IPSec 5 802.1X - LAN / WLAN
! 3"((1%K4, MACSec / MKA (802.1X-REV) (&9 +%";%,88#";" D5?%"-,#59 (c4"%")$' >,-5)5$ "$ 8"P#")$5)
! O)+"&'>"-,#51 MACSec )"-81)$58";" HW()1$1-B: 4,%$) *-1&565-,1$ +%"5>-"(5$1&'#")$' AnyConnect 3.0
@++,%,$#,9 +"((1%K4, MACSec: Intel 82576 Gigabit Ethernet Controller Intel 82599 10 Gigabit Ethernet Controller Intel ICH10 - Q45 Express Chipset (1Gbe LOM) (Dell, Lenova, Fujitsu 5 HP +%"5>-"(9$ %,="651 )$,#755 ) *4,>,##B85 )1$1-B85 4,%$,85.)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
C+%,-&1#51 TrustSec. CiscoWorks LMS 4.0
44
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
5%+,-&# CiscoWorks LMS 4.0
WorkCenter C2*E%83'#?%9 M2*%,2'%*8 @,;-,*2+,4
EnergyWise Large-scale switch configuration Manage EW domains and policies
Power consumption, Cost savings, policy compliance, alarms & events
Cisco TrustSec™ Large-scale 802.1x Identity deployment Day-N configuration changes
Authorization and authentication success failure trends, login stats
Smart Install Centrally manage Smart Install Directors Manage client switch configuration and sw images
Smart Install-specific LMS job management
Auto Smartports Large-scale ASP deployment and day-N configuration changes Event/trigger management MAC-based group configuration
Auto Smartports-specific LMS job management
!"#71+759 %,="65: 71#$%"- • *+%,-&1#51 -)18 K5>#1##B8 754&"8 (&9 "+%1(1&1##"2 >,(,65 ($1:#"&";55)
• "$ "71#45 ;"$"-#")$5 (" -#1(%1#59 5 +"((1%K45
• C+%"P,1$ 8,)D$,=#B1 -#1(%1#59 $1:#"&";55
45
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
(*,-8'#?%9 LMS 4.0 % E3*1?%2*#"# TrustSec *# 12&&3,#,2'#6
TrustSec™ Identity Work Center
• <71#4, ;"$"-#")$5 )1$5 (HW/SW/4"#?5;*%,755) 4 -#1(%1#5I TrustSec
• E,)$%"24, 4"88*$,$"%"- (Radius, ,-$"%5>,75"##B1 +%"?,2&B #, 5#$1%?12),: 5 *)$%"2)$-,:, -4&I6,9 -)1 #"-B1 "+755 TrustSec)
• <$61$ +" 4"#?5;*%,7598 TrustSec 5 +"5)4 #15)+%,-#")$12
• F"#5$"%5#; (,##B: 5(1#$5?54,755 ) +"8"P'I SNMP (,*$1#$5?575%"-,##B1/,-$"%5>5%"-,##B1 +"&'>"-,$1&5, "D5=45 ,*$1#$5?54,755N.)
• 3"%$&1$B 8"#5$"%5#;, )")$"9#59 #, %,="652 )$"& LMS (dashboard)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
L,)61$ ?5#,#)"-B: 81$%54 -#1(%1#59 TrustSec
47
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
TrustSec Return On Investment (ROI) 1#"413"9,2'
48
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
I#+;-, B#,'#, % <2,-'4
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!.72$. • TrustSec +%1(")$,-&91$ >,4"#61##*I ,%:5$14$*%* (&9
4"#$%"&9 (")$*+,, 4"$"%,9 ":-,$B-,1$ %,>#""=%,>#B1 +"&'>"-,$1&')451 )71#,%55 5 9-&91$)9 &5(1%"8 #, %B#41 NAC +" ?*#475"#,&*
• TrustSec 5)+"&'>*1$ 8#"K1)$-" ?*#4752 )1$1-"2 5#?%,)$%*4$*%B Cisco, 4"$"%B1 *+%"P,I$ -#1(%1#51 5 +">-"&9I$ ,(,+$5%"-,$')9 4 +"$%1=#")$98 %1,&'#B: ;1$1%";1##B: )1$12
• A1##")$' TrustSec >,4&I6,1$)9 - +"((1%K41 ="&'D";" 65)&, ("+"$1&'#B: )1%-5)"- (;")$1-"2 (")$*+, +"((1%K4, *)$%"2)$- =1> ,;1#$"-, 81$45 =1>"+,)#")$5 5 D5?%"-,#51), 4"$"%B1 >#,65$1&'#" %,)D5%9I$ =,>"-B2 ?*#475"#,& NAC 5&5 802.1x
• S,&'#12D58 %,>-5$518 %1D1#52 Cisco TrustSec 9-&91$)9 ="&11 $1)#,9 5#$1;%,759 - 1(5#"2 +&,$?"%81
50
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!2<'2+. % @,7-,.
51
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F2"-B*.- ++."1% TrustSec #, ")#"-1 802.1x (&9 4,8+*)#B: )1$12 http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html
Identity-Based Networking Services: /#1(%1#51 IEEE 802.1X http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6638/guide_c07-627531.html
/#1(%1#51 Identity Based Networking Services #, ")#"-1 )71#,%51- http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html
E,)$%"24, 5 %,>-1%$B-,#51 IP-$1&1?"#55 - )1$9: IEEE 802.1X http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html
!,&'4*&9$"%B ROI (&9 TrustSec http://www.cisco.com/assets/sol/sec/flash/trustsec/pop.html http://www.ciscosecuritynac.com/Cisco_NAC_GOV_ROI_Calculator.xls
52
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M. 62,-"% ). 3B*#,4 !#J- &*-*%-
F20#"3/+,#, B#<2"*%,- #*1-,3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 53
<=>"% #"-B: -1%)52 %1D1#52 Cisco (&9 4"#$%"&9 )1$1-";" (")$*+, Cisco NAC, Cisco Secure ACS
!"#$%&%' ("%)&#* +%+,-&*./ %*0-*-'-12*+3"4,#*,
54
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
52$-'0#*%- • !"#$%"&' (")$*+, - ./0 #, ")#"-1 %"&12. 3%,4$561)451 )71#,%55 +%581#1#59 $1:#"&";52.
• 3"&5$545 (")$*+, #, ")#"-1 +%,-5&. Cisco Secure ACS 5.x
• F"(1&' 4"#$%"&9 (")$*+, #, ")#"-1 NAC Appliance
• 3%"?5&5%"-,#51 (")$*+, “#1+"&'>"-,$1&')45:“ *)$%"2)$-
• Q")$1-"2 (")$*+
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
3"&5$545 (")$*+, #, ")#"-1 +%,-5&. Cisco Secure ACS 5.x
56
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!#'%#*,. <"#,E2'&. Cisco Access Control System 5.2
1. C)$%"2)$-" Cisco Secure 1121 – C)$%"2)$-" (1RU) #, ")#"-1 Linux-+"("=#"2 )5)$18"2 (ADE OS) c *K1)$"61##"2 +"&5$54"2 =1>"+,)#")$5
2. VMWare "=%,> – 3%";%,88#"1 +%5&"K1#51 5 <0 Linux (&9 5#)$,&&9755 #, VMware ESX 3.5, 4.0
/1%)59 5.2 +"((1%K5-,1$ FIPS 140-2 Level 1 )1%$5?54,75I
3"((1%K4* SHA-256
3"((1%K4* Internet Explorer 8 (&9 5#$1%?12), ,(85#5)$%,$"%"-
3"((1%K4* Windows 2008 R2 (&9 AD ,*$1#$5?54,755.
57
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Provision interfaces and tools Posture &
audit protocols
Accounting & Logging Session
State
Policy & Inventory
ACS Runtime
Dev
ice
Pro
toco
ls
Identity interfaces
Cisco Secure Access Control System (ACS)
Report
Interact & Query
Integrate & Enforce
Cisco Secure Access Control System (ACS) 5.x <)"=1##")$5 ,%:5$14$*%B
1. F"(1&' ?*#475"#5%"-,#59 #, ")#"-1 +%,-5&, (,IP,9 ;5=4")$' +%5 "+%1(1&1#55 +"&5$54
2. E"-B2 81:,#5>8 5#4%181#$,&'#"2 %1+&54,755, -">8"K#")$' )">(,#59 %,)+%1(1&1##B: -#1(%1#52
3. C+%"P1##"1 ,(85#5)$%5%"-,#51 >, )61$ "=#"-&1##";" Web GUI, +"9-&1#51 IOS-+"("=#";" CLI 5#$1%?12),
4. E"-B1 -">8"K#")$5 +" )">(,#5I "$61$"-, %,#11 -:"(5-D51 - "$(1&'#B2 +%"(*4$ Cisco ACS View
5. 3"((1%K4, 51%,%:55 +"&'>"-,$1&12 5 *)$%"2)$- - -#*$%1##12 =,>1 ACS
6. C&*6D1##,9 5#$1;%,759 ) -#1D#585 =,>,85 (AD, LDAP, SecurID/OTP, Radius Proxy) (&9 5(1#$5?54,755 5 "+%1(1&1#59 +"&5$54
Provision interfaces and tools Posture &
audit protocols
Accounting & Logging Session
State
Policy & Inventory
ACS Runtime
Dev
ice
Pro
toco
ls
Identity interfaces
Provision interfaces and tools
Posture &
audit protocols
Accounting & Logging Session
State
Policy & Inventory
ACS Runtime
Dev
ice
Pro
toco
ls
Identity interfaces
ACS Management
Posture & audit protocols
Reporting & Troubleshooting
Accounting & logging
Policy & Inventory
ACS Runtime
Dev
ice
Prot
ocol
s Identity interfaces
58
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
+
Access Privilege
Engineering
Human Resources
Finance
Home Access
Deny Access
Guest
Other Conditions
Time and Date
Access Type
Location
T2"-- 8%)1#9 <2"%,%1# + 12*,'2"-& $2+,3<# *# 2+*27- '2"-/
@#$"# @&8,>"- Employee Consultant
/54$"%59 !,$1%#I4 Employee Marketing
@##, 31$%"-, Employee Sales Director
!,K(B2 5811$ )"=)$-1##*I %"&'
O(1#$5?54,75"##,9 5#?"%8,759
Identity: Network Administrator
Identity: Full-Time Employee
Identity: Guest
F,%59 05("%"-, 52,'3$*%1 <!
59
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F2"%,%1# $"9 +27'-&-**.6 ,'-)27#*%/ )%B*-+#
+
O(1#$5?54,75"##,9 5#?"%8,759
Identity: 01$1-"2 ,(85#
Identity: R$,$#B2 )"$%*(#54
Identity: Q")$'
3%5-5&1;55 (")$*+,
!"#)*&'$,#$
<$(1& 4,(%"-
H*:;,&$1%59
F,%41$5#;
T,+%1$5$'
Q")$'
S%*;51 *)&"-59
/%189 5 (,$,
M5+ (")$*+,
F1)$"+"&"K1#51
60
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
+
Identity Information
Identity: Network Administrator
Identity: Guest
Identity: Full-Time Employee
I2"4 + 12*,'2"4 $2+,3<# *# 2+*27- <'#7%"#
3%5-5&1;55 (")$*+,
Engineering
Finance
Home Access
Deny Access
Guest
<$(1& 4,(%"-
S%*;51 *)&"-59
Time and Date
Q(1: A<
M5+ (")$*+,: +%"-"(#"2
05("%"-, F. 52,'3$*%1 <!
61
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
+
Identity Information
Identity: Network Administrator
Identity: Guest
Identity: Full-Time Employee
I2"4 + 12*,'2"4 $2+,3<# *# 2+*27- <'#7%"#
3%5-5&1;55 (")$*+,
Engineering
Finance
Home Access
Guest
Human Resources
S%*;51 *)&"-59
/%189 5 (,$,
Q(1: G5&5,&
M5+ (")$*+,: =1)+%"-"(#"2 T,+%1$5$'
05("%"-, F. 52,'3$*%1 <! /#1 +1%581$%,
62
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'%&-' S"-&-*,27 <2"%,%1%
C)&"-59 +"&5$545
Access Type Location Date and Time Network Device Type NAD IP Address EAP Auth Method Authentication Status AD Group LDAP Attributes RADIUS Attribute : :
5%$2'27# M#'%9 L%<: Reg. Employee :2"0*2+,4: Sr. HR Advisor U'3<<#: HR Admin Group @,$-" ID: 240087 L-"-E2*: 495-555-5555 Mail: [email protected]
63
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'%&-*-*%- <'#7%" $2+,3<#
1. @-$"%5>,75"##,9 +"&5$54, )1$1-";" (")$*+, - ACS +%1(")$,-&91$ 8"P#*I 8"(1&' “IF-THEN-ELSE” (&9 %,>%,="$45 ;5=4"2 4"%+"%,$5-#"2 +"&5$545
2. @-$"%5>,75"##B1 +%"?,2&B +%1(")$,-&9I$ 81$"(B 4"#$%"&9 +"&5$54 #, -:"(1.
3. Y")$* 8";*$ =B$' #,>#,61#B Security group - $" K1 ),8"1 -%189
F1$"(B ,-$"%5>,755
! E,>#,61#51 VLAN ! 04,65-,#51 dACL ! 31%1#,+%,-&1#51 URL ! Security Group ACL
64
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Cisco ACS M2*%,2'%*8 % <2%+1 *-%+<'#7*2+,-/
3"&#")$'I #,)$%,5-,18B1 +,#1&5 5#)$%*81#$"-
3"(%"=#,9 "$61$#")$'
05;#,&B 5 C-1("8&1#59
! 0$,#(,%$#B1 "$61$B ! R,=&"#B ! E,)$%,5-,18B1 "$61$B
! E,)$%,5-,18B1 $%5;;1%B
! 05;#,&B 61%1> Email 5&5 Syslog
65
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F#*-"4 %*+,'3&-*,27 Live Authentication Log
1. Live Authentication Log +%1(")$,-&91$ =B)$%B2 (")$*+ 4 ,*$1#$5?54,75"##B8 >,+5)98 - %1,&'#"8 8,)D$,=1 -%181#5
2. S")$*+#B ("+"$1&'#B1 )-1(1#59 " ,*$1#$5?54,755, +%565#B "$4,>,, +"(%"=#,9 +")&1("-,$1&'#")$' +%5#9$59 %1D1#52
66
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F#*-"4 Live Authentication Log 3%581% +%")8"$%, Log Analysis View :
– <$61$ +" +"&'>"-,$1&')458 ,*$1#$5?54,7598
67
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
U'3<<%'271# 3+,'2/+,7 % <2"4B27#,-"-/
Africa-Southern-SouthAfrica-Firewalls!
Africa-Southern-SouthAfrica-Switches!
Africa-Southern-SouthAfrica-Routers!
Africa-Southern-Namibia-Firewalls!
Africa-Southern-Namibia-Switches!
Africa-Southern-Namibia-Routers!
Africa-Southern-Botswana-Firewalls!
Africa-Southern-Botswana-Switches!
Africa-Southern-Botswana-Routers!
…!
!+- 3+,'2/+,7#
M#'J3',%B#,2'.: • Router1
• Router2
C2&&3,#,2'.: • Switch1
• Switch2
(-'#'6%9 ,%<27 3+,'2/+,7
!+- 3+,'2/+,7#
Africa Devices
SouthAfrica Devices: • Router2 • Switch2
(-'#'6%9 &-+,2<2"20-*%9
Asia Devices
SouthernDevices
3&")4,9 ;%*++5%"-4, *)$%"2)$- -
ACS 4.x
F#"K1)$-" 51%,%:52 -
ACS 5
68
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
A+,'2/+,72 (<2"4B27#,-"4) &20-, <'%*#$"-0#,4 *-+12"41%& 8'3<<#&
E,>#,61#51 ;%*++ *)$%"2)$-*
69
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M%8'#?%9 + <'-$.$3>%6 7-'+%/ ACS 3%"-1%'$1 ?*#475"#,& ACS - ACS 5.1/5.2 +"((1%K5-,1$ +"(,-&9IP52 #,="% ?*#4752 ACS 4.x http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html
S&9 )">(,#59 4"#?5;*%,755 5)+"&'>*2$1 )&1(*IP51 81$"(B
– Migration tool (58+"%$5%*1$ 4"#?5;*%,755 ACS 4.x )
– Import tool (*$5&5$, 58+"%$5%*IP,9 CSV-?,2&B ) 4"#?5;*%,7512) • Users, hosts, network devices, identity groups, NDGs, downloadable ACLs,
command sets
– L*6#,9 4"#?5;*%,759
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
F"(1&' 4"#$%"&9 (")$*+, #, ")#"-1 NAC Appliance
71
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Q")$5
Network-Attached Device
WLC
NAC Guest Server
NAC Profiler Server
Directory Service
Cisco TrustSec NAC Appliance $"9 %*E'#+,'31,3' )-B 802.1X
3"&'>"-,$1&5, *)$%"2)$-,
T,P5P,18B1 %1)*%)B
Campus Network
IP Phones NAC Manager
NAC Server
3%"$"4"& *+%,-&1#59: SNMP
NAC Agent
M"64, +%581#1#59 +"&5$54
Cisco® Catalyst®
Switch
72
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'-%&3>-+,7# NAC Appliance
@*$1#$5?54,759 3"&'>"-,$1&12 5 *)$%"2)$- - )1$5
!"#$%"&' +"&5$545 5 11 +%581#1#51 S&9 )""$-1$)$-59 +"&5$541 (")$*+,
3%"-1%45 5 "$61$B !$" - 8"12 )1$5?
S5??1%1#75%"-,##B2 (")$*+ S&9 "%;,#5>,755 %"&1-";" (")$*+, 4 )1$5
73
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
1. C2*-;*./ <2"4B27#,-"4 <2$1"D;#-, *23,)31 1 +-,%
F'2?-++ #3,-*,%E%1#?%% % #7,2'%B#?%% NAC : Out-of-Band
3. V+"% 3+,'2/+,72 *- #3,-*,%E%?%'27#*2 NAC Manager- 2& 2*2 <-'-&->#-,+9 7 “authentication” VLAN.
2. C2&&3,#,2' J"-, NAC Manager 37-$2&"-*%- 2 *272& MAC
!"8+'I$1% ) NAC Agent
Switch
NAC Manager
NAC Server
Network
VLAN 10
VLAN 110
VLAN 10
74
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
4. =#<'#J%7#-,+9 %*E2'&#?%9 2 <2"*2&2;%96 $"9 2<'-$-"-*%9 “'2"%:”
• NAC Agent <2"3;#-, 2, NAC Server 12&#*$3 <'27-'%,4 +22,7-,+,7%- 2+*27.7#9+4 *# '2"%
5. F'% *-2)62$%&2+,% <'272$%,+9 12''-1?%9 12*E%83'#?%% 12&<4D,-'#
F'2?-++ #3,-*,%E%1#?%% % #7,2'%B#?%% NAC : Out-of-Band
!"8+'I$1% ) NAC Agent
Switch
NAC Manager
NAC Server
VLAN 10
VLAN 10
VLAN 110
VLAN 110
Network Network
75
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
7. NAC Server %*E2'&%'3-, NAC Manager ;,2 62+, “+-',%E%?%'27#*” , % NAC Manager $#-, 12&#*$3 12&&3,#,2'3 <2&-+,%,4 <2', 7 “access” VLAN.
8. K23,)31 <2"3;#-, $2+,3< 7 12'<2'#,%7*3D +-,4
F'2?-++ #3,-*,%E%1#?%% % #7,2'%B#?%% NAC : Out-of-Band
NAC Server
E"*$=*4 NAC Agent
Switch
NAC Manager
VLAN 10
VLAN 10
VLAN 10 Network
VLAN 110
Network
76
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC #8-*, $"9 "28%*# 7 NAC % 2?-*1% +22,7-,+,7%9
4.
G*#"%B%'3-,+9 +2+,29*%- ($5+B +%"-1%"4 >,-5)9$ "$ +"&'>"-,$1&')4"2 %"&5) @<?%% %+<'#7"-*%9 (%*6#B1 5 ,-$"8,$561)451)
G3,-*,%E%1#?%9 + <2$$-'012/ SSO
77
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC Appliance 7-)-#3,-*,%E%1#?%9
/1=-,;1#$ (&9 4"#$%,4$"%"- 5 ;")$12 ("=1)+165-,1$ +%"-1%4* )")$"9#59) H%,*>1% (&9 -1=-,*$1#$5?54,755
78
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!#'%#*,. 7*-$'-*%9 NAC Appliance
1. 3%"-"(#,9 )1$' – L3 Out-of-Band ) ACL 5&5 VRF
2. H1)+%"-"(#,9 )1$' – In-Band 5&5 +"(4&I61#51 L2 Out-of-Band 4 WLC
4"#$%"&1%* 3. VPN
– 3"(4&I61##B2 - %1K581 In-Band 4 VPN 4"#71#$%,$"%* 5&5 ASA
4. C)$%"2)$-, (")$*+, )$"%"##5: 4"8+,#52 – In-Band
79
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'-$+,#7"-*%- NAC 4.8
E"-B1 ?*#4755 5 -">8"K#")$5 (&9 +"((1%K45 ="&'D";" 65)&, +"&'>"-,$1&')45: )71#,%51-
! Out-of-Band Logoff
! 3,))5-#B1 +1%5"(561)451 "71#45 )")$"9#59 (Passive Re-Assessment)
! C)4"%1#51 "=#"-&1#52 AV/AS
! 3"((1%K4, 8"(*&12 NAC (&9 ISR
! L,)D5%1##,9 "$61$#")$'
! NAC Agent ,-$"%5>5%*1$ )1%-1%
! <;%,#561#51 (")$*+, ,(85#5)$%,$"%"- +" Source IP
NACS
NACM
Auth
80
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
C#1%& 2)'#B2& 9 <27,2'*2 2?-*%7#D 3+,'2/+,7# <2+"- %6 +-',%E%1#?%% ? 3"-$"%#,9 +,))5-#,9 "71#4, NAC
! 3"((1%K4, ,;1#$"- (&9 Windows 5 MAC ! @;1#$B +"&*6,I$ +"&5$54* +"-$"%#"2 "71#45 "$ )1%-1%, NAC ! 3"&5$545 "+%1(1&9I$)9 #1>,-5)58" (&9 4,K(";" +"&'>"-,$1&9 ! /B 8"K1$1 %,>%1D5$' +"&'>"-,$1&98 +%"("&K5$' %,="$*, *)$%,#5$' #1)""$-1$)$-51 5&5 -B#*(5$' >,-1%D5$' %,="$* failing re-assessments
/B ("&K#B *)$%,#5$'
/B+"#51 $%1="-,#52
NACM NACS 0+5)"4 #1)"$-1$)$-52
M%1="-,#59 4 %"&5
3"&5$54, +,))5-#"2 +"-$"%#"2 "71#45 8"K1$ +%5)-,5-,1$)9 #1>,-5)58" "$ +"&5$545 (&9 &";5#, (+1%-"#,6,&'#";" -:"(, - )5)$18*)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
O)+"&'>"-,#51 NAC Profiler (&9 4"#$%"&9 (")$*+, *)$%"2)$-
82
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC Profiler: <'-%&3>-+,7# 3%581% 4,$1;"%52 +%"?5&5%"-,##B:
*)$%"2)$-
IP M1&1?"#B
3%5#$1%,
IP !,81%B
OH3
3! =1> ),+&54,#$"-
Collector Profiler
Non-802.1X Devices On Your Network
NAC Profiler
!"#$
%&'(
#)(
*+#)
,+%)
#-
F'2E%"%'27#*%- 3+,'2/+,7 <=#,%*K1#51 -)1: )1$1-B: *)$%"2)$- +" $5+* 5 81)$"#,:"K(1#5I 3"((1%K4, - %1,&'#"8 -%181#5 5 5)$"%561)45 )$,$*) "=#,%*K1##B: *)$%"2)$-
M2*%,2'%*8 3+,'2/+,7 F"#5$"%5#; )")$"9#59 )1$1-B: *)$%"2)$- <=#,%*K1#51 )"=B$52 ) +"((1&4"2 ,(%1)"-, 5>81#1#51 +"%$"- 5 $.+.
83
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
F'2E%"%'27#*%-
Profiler collector )"=5%,1$ 5 4"%%1&5%*1$ ,$%5=*$B (&9 5(1#$5?54,755 4"#16#B: *)$%"2)$- . M,458 "=%,>"8 +%"?5&' )")$"5$ 5> #,="%, ,$%5=*$"-.
NAC Profiler Server
Profiler Collector
• CDP • Netflow (IP ,(%1) 5 +"%$)
• DHCP Vender ID
• MAC OUI
V$" $,4"1 +%"?5&' $1&1?"#,? / Profiler Server, ,(85#5)$%,$"% "+%1(1&5& “$1&1?"#” 4,4 • MAC OUI = Cisco Systems • CDP ID = SEP00BFDFCD658 • DHCP vendor id = IP phone • M%,?54 = RTP, SIP 5 Skinny
@#$5)+*?5#;: W)&5 “$1&1?"#” #,65#,1$ )&,$' $%,?54 "$&56#B2 "$ ;"&")"-";", $" *)$%"2)$-" #1 =*(1$ ="&11 +%"?5&5%"-,$')9 4,4 $1&1?"#.
84
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
G,'%)3,. 12*-;*.6 3+,'2/+,7 $"9 2<'-$-"-*%9 <'2E%"9
Layer 2 • MAC ,(%1)/-1#("%
• DHCP ,$%5=*$B: – Vendor Class Identifier
– Hostname
– DHCP Options (4 +%581%* "+759 150 (&9 IP phones)
• C61$#,9 5#?"%8,759 RADIUS
Layer 3-7 • <$4%B$B1 +"%$B TCP • M5+ $%,?54, • M5+ Web User Agents • 0""$-1$)$-51 Web URL • H,##1%B -)$%"1##";" Web
)1%-1%, • H,##1%B -)$%"1##";"
SMTP )1%-1%, • O#?"%8,759 " )1$1-"8
)$141 • O89 DNS • CDP • <+5),#51 SNMP System
Description
85
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC <'2E%"4 7 %*E'#+,'31,3'- 802.1X The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your
0"=%,##B1 (,##B1 +%" *)$%"2)$-, C+%,-&1#51 5 4"#$%"&'
LDAP Query/LDAP Response
NAC Profiler Server
Cisco Secure ACS
NAC Profiler Collector
NAC Profiler Collector O#$1;%,759 61%1>
LDAP
86
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
802.1X % Profiler LDAP %*,-8'#?%9
• Profiler 5#$1;%5%*1$)9 ) ACS 5)+"&'>*9 LDAP (&9 4&,))5?54,755 +" MAC-,(%1),8 MAC Authentication Bypass (MAB).
• Profiler +1%1(,1$ )&1(*IP*I 5#?"%8,75I - ACS : – MAC ,(%1) #,2(1##";" *)$%"2)$-, – E,>-,#51 +%"?5&9
• Profiler 8"K1$ >,)$,-5$' +"%$ 4"88*$,$"%, +"-$"%#" ,*$1#$5?575%"-,$' *)$%"2)$-"- “+1%1(1%;5-,9” +"%$.
87
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
NAC Profiler c NAC Appliance
NAC API 5 Direct SQL
01%-1% NAC Profiler
NAC Manager
NAC Server1 w/ NAC Profiler
Collector
NAC Server1 w/ NAC Profiler
Collector
0"=%,##B1 (,##B1 +%" *)$%"2)$-, C+%,-&1#51 & 4"#$%"&'
88
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
(*,-8'#?%9 + NAC Manager • /)1 4"#16#B1 *)$%"2)$-, 4&,))5?575%*I$)9 ) +"8"P'I NAC Profiler. Profiler "$?5&'$%"-B-,1$ +%"?5&5%"-,##B1 *)$%"2)$-, 5 +1%1(,1$ 5#?"%8,75I - NAC manager. 0&1(*IP51 (,##B1 +1%1(,I$)9 61%1> NAC Manager API:
– MAC ,(%1) *)$%"2)$-,
– <+5),#51
– M5+ (")$*+, (Allow, Deny, Role , Check, Ignore)
• 3%"?,2&1% +%"("&K,1$ 8"#5$"%5$' *)$%"2)$-, (&9 $";" 6$"=B *=1(5$')9, 6$" +%"?5&' #1 5>81#5&)9. W)&5 +%"?5&' 5>81#5&)9 (+"$"8* 6$" *)$%"2)$-" =B&" +"(81#1#"), Profiler 5#?"%85%*1$)9 NAC manager 5 *)$%"2)$-" +1%14&,))5?575%*1$)9.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID
C+%,-&1#51 ;")$1-B8 (")$*+"8
90
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
@<?%% 3<'#7"-*%9 82+,-7.& $2+,3<2&
M%5 "+755 (&9 *+%,-&1#59 ;")$1-B85 >,+5)985 • ."4,&'#,9 -1=-,*$1#$5?54,759 #,
4"88*$,$"%1 – O)+"&'>*1$)9 - ")#"-#"8 - #1="&'D5: -#1(%1#59:
– 3%"-"(#"1 +"(4&I61#51
• A1#$%,&5>"-,##B2 )1%-1% NAC Guest – O)+"&'>*1$)9 (&9 ="&'D5: -#1(%1#52
– 3"((1%K5-,1$)9 +%"-"(#"1 / =1)+%"-"(#"1 +"(4&I61#51
– Q5=451 -">8"K#")$5 -B(,65 ;")$1-B: >,+5)12
• A1#$%,&5>"-,#" #, Wireless Controller – R5%"4" 5)+"&'>*1$)9, 4";(, ;")$5 +"(4&I6,I$)9 $"&'4" =1)+%"-"(#"
M5+B ;")$1-";" (")$*+,
Group: Contractor
Group: Guest
91
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Q%1" 3<'#7"-*%9 82+,-7.& $2+,3<2&
./.0.12.310.4
C3L@/.WEOW
C/WS<F.WEOW
<MVWME<0MZ
52B$#*%- 82+,-7282 "28%*#
A<'#7"-*%- 82+,-7.&% "28%*#&%
F'-$2+,#7"-*%- "28%*27 82+,9&
@,;-,*2+,4 <2 82+,9&
S1&1;5%"-,#51 +"&#"8"652 )">(,#59 *61$#B: >,+5)12 3,41$#"1 )">(,#51 *61$#B: >,+5)12
L,)+16,$,$'
3")&,$' +" X&14$%"##"2 +"6$1
3")&,$' 61%1> SMS
3%")8,$%5-,$', %1(,4$5%"-,$', ,-$"8,$561)45 =&"45%"-,$'
C+%,-&1#51 ;%*++,85 *61$#B: >,+5)12
3%")8"$% "$61$"- +" )1$1-"8* $%,?54*
3%")8"$% "$61$"- +" (12)$-598 ) *61$#B85 >,+5)985
92
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
TrustSec NAC Guest Server • F#";"?*#475"#,&'#"1
*)$%"2)$-" (+&,$?"%8, NAC Appliance 3315)
• /1)' K5>#1##B2 754& *+%,-&1#59 ;")$1-B8 (")$*+"8
• Y")$5#; )$%,#57 (&9 :"$)+"$"- ,*$1#$5?54,755
NAC Guest Server (NGS) 2.02
Active Directory ) +"((1%K4"2 SSO LDAP RADIUS Kerberos
• Q5=452 -1=-+"%$,& (&9 )"$%*(#54"- 4"$"%B1 >,4,>B-,I$ ;")$1-B1 *61$#B1 >,+5)5 ) 5#$1;%,7512 -:
93
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
I#)2,# +-,-7.6 3+,'2/+,7 + NAC Guest
01$1-B1 *)$%"2)$-, "=1)+165-,I$ 4"#$%"&' (")$*+, ;")$1-";" +"&'>"-,$1&9
– <=1)+165-,I$ ,-$"8,$561)452 %1(5%14$ #, +"%$,&
– @*$1#$5?575%*1$ +"&'>"-,$1&9 ) +"8"P'I ;")$1-";" )1%-1%,
– <=1)+165-,1$ +%581#1#51 +%,- (")$*+,
– 0":%,#9I$ 5#?"%8,75I " )1$1-"2 ,4$5-#")$5
Cisco NAC Appliance – <71#4, )""$-1$)$-59
– 3%"-"(#"1 5 =1)+%"-"(#"1 +%581#1#51
Cisco Wireless LAN Controllers – /)$%"1##B1 -">8"K#")$5 ;")$1-";" (")$*+,
– 3%"-"(#"1 5&5 =1)+%"-"(#"1 5)+"&'>"-,#51
– /)$%"1##B1 ?*#4755 $*##1&5%"-,#59 ;")$1-";" $%,?54, (anchor controller)
0 +"8"P'I RADIUS ,*$1#$5?54,755 +"((1%K5-,1$)9 &I="1 *)$%"2)$-"
94
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Active Directory
RADIUS Proxy
5?-*#'%/ %+<2"4B27#*%9 A*%E%?%'27#**#9 7-)-#3,-*,%E%1#?%9 $"9 <'272$*282 % )-+<'272$*282 $2+,3<27 +2,'3$*%127 % 82+,-/
SSC
Employee
Q")$'
3,%5$1$ (&9 Wired / WLAN
A1#$%,&5>"-,##,9 +"&5$54, 5 *61$
0"-81)$58")$' 802.1X/MAB 0"$%*(#54
NAC Guest
Server 2.0.2
ACS 5.1
95
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
@,;-, <2 #1,%7*2+,% 82+,-/
Internet
(&9: guestname IP #$'-+: 10.1.1.1
!'-&9 "28%*#: 15:05 !'-&9 "28#3,#: 14:30
15:07 10.1.1.1 accessed http://www.cisco.com 15:08 10.1.1.1 used the bittorrent protocol 15:09 10.1.1.1 connected to vpn.mycompany.com
C2*+2"%$%'27#**#9 2,;-,*2+,4 2) #1,%7*2+,%
96
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
:-,#"4*./ #3$%, 82+,-72/ #1,%7*2+,%
! !";(, -B+"# -:"(
! Q(1 -B+"# -:"(
! @(%1) ;")$9
! V$" (1&,& ;")$'
! V$" =B&" %,>%1D1#"
! V$" =B&" >,+%1P1#"
97
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!.72$. • Cisco Secure ACS 5.x 9-&91$)9 9(%"8 )5)$18B
TrustSec 5 +">-"&91$ "61#' ;5=4" *+%,-&9$' +"&#"8"65985 (")$*+,
• Cisco LMS 4.0 "=1)+165-,1$ 71&")$#"1 *+%,-&1#51 (&9 -#1(%1#59 TrustSec/802.1x
• L1D1#51 Cisco TrustSec "=&,(,1$ ="&'D58 65)&"8 ("+"$1&'#B: )1%-5)"- (;")$1-"2 (")$*+, +"((1%K4, +%"?5&5%"-,#59 *)$%"2)$- =1> ,;1#$"-, 5#$1;%5%"-,##"1 *+%,-&1#51) 5 9-&91$)9 &5(1%"8 #, %B#41 NAC +" ?*#475"#,&*
• S,&'#12D58 %,>-5$518 %1D1#52 Cisco TrustSec 9-&91$)9 ="&11 $1)#,9 5#$1;%,759 - 1(5#"2 +&,$?"%81
98
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
!2<'2+. % @,7-,.
99
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
M. 62,-"% ). 3B*#,4 !#J- &*-*%-
F20#"3/+,#, B#<2"*%,- #*1-,3