BRKSEC-2044_PATEL-5

BRKSEC-2044

Next-Generation Network Access Policy with Cisco Secure Access Control System (ACS)

2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2

Abstract

The recently released ACS 5 provides a flexible, all new, policy-based model. This is an intermediate session and topics include:

Benefits of the new rules-based policy model

Guidelines and considerations when migrating from ACS 3.x/4.x to the new model

Policy examples of ACS core scenarios such as 802.1X, remote access, device administration

This session is targeted at technical decision makers, network architects and operations staff of enterprises, who are involved in designing or supporting network access policy using ACS. Familiarity with ACS 3.x/4.x is recommended.


Abstract (Continued)

Related sessions include:

BRKSEC-2005 Deploying Wired 802.1X

BRKSEC-2046 Cisco Trusted Security (CTS) & Security Group Tagging

BRKSEC-2073 Introduction to PKI

BRKSEC-3005 Advanced IEEE 802.1x Design and Troubleshooting

TECSEC-2010 Migrating Your LAN to IEEE 802.1X

PNLSEC-1040 Panel: Access Control


Agenda

Rules-based Policy

ACS Building Blocks

Network Resource Configuration

User and Identity Store Configuration

Policy Element Configuration

Access Policy Configuration

Deployment and Migration Overview


ACS 5: Rules-based Policy


Any Person

Any Place

Any Device

Any Resource

A Next Generation Architecture to Deliver the New Workspace Experience

BORDERLESS NETWORKS

The Transformation: The World Is Our New Workspace

Right Person

Right Device

Right Place

Right Resource


Other Conditions

+

Identity

Information

Identity:

Network

Administrator

Identity:

Full-Time

Employee

Identity:

Guest

ACS 5 Flexible Rule-Based Policies

Authorization

Profiles

Engineering

Human Resources

Finance

Home Access

Deny Access

Guest

Other

Conditions

Time and Date

Access Type

Location


ACS View Increased Visibility

CustomizableDashboard

ComprehensiveReporting

Alarms and Notifications

Standard Reports Templates Customized Reports

Custom Triggers Alerts via Email and Syslog


ACS View Improved Troubleshooting


Access Service

Overall AAA Request Flow

Service Selection Identity Policy

Authorization Policy

Auth RequestAuth Response

Service Selection policy directs requests

to the correct Access Service

Identity Policy selects the

identity stores for AA


determines the authorization for

the user


ACS Service Selection Policy

AAA RequestService

Selection

Access Service 1AAA

Response

Access Service 2

Access Service 3ACS Service Selection

Criteria

AAA protocol

Network device group

ACS server

Request attributes

Date and time

AAA client


Access Service

First Match Rule Tables For Policy



Conditions Result

First

Match



Access Service

What Are The Policy Results?



Access

Service

Identity

Store(s)

For AA

Authorization

Profiles


AAA RequestService

Selection

Access Service 1

AAA Response

Access Service 2

Access Service 3

ACL

VLAN

Priv

Lvl


Access Service

What Are The Policy Conditions?



Request

AttributesDevice

Information

PAP

CHAP

PEAP

TLS

Auth TypeCertificate

AttributesUser Groups

and Attributes

Attr1 Attr2 Attr3


More conditions become

available at each step


Available Policy Conditions

Service Selection Identity Authorization

ACS Host Name [Previous column] [Both previous columns]

Device Filter Authentication Method Authentication Status

Device IP Address [Certificate attributes] Identity Group

Device Port Filter EAP Authentication

Method

[Internal user attributes]

End Station Filter EAP Tunnel Building

Method

[Directory groups]

NDGs [Directory attributes]

Protocol System:UserName

Time And Date Was Machine

Authenticated

Use Case

[RADIUS and TACACS+

attributes]


Example - Service Selection Policy

Protocol NDG:DeviceType

Access Service

TACACS+ -ANY- Device Admin

RADIUS VPNConcentrators

Remote Access

RADIUS -ANY- LAN Access

Service Selection


Example - Identity Policy

Policy to select identity stores that are used to authenticate and retrieve attributes/group info

Authentication Method Identity Store

X509 Certificate Certificate Profile

MSCHAPv2 CORP_AD

If no match Deny Access

Identity Policy


Example - Authorization Policy

ID Group Location Access Type

Time & Date

Compliance Azn Profile

ENGR - - - Compliant ENG

ENGR - - - Not Compliant

PUB, ENG

CONT CAMPUS WIRED DAY Compliant CONT

CONT CAMPUS WIRELESS DAY Compliant CONT_WLAN

PRINTERS CAMPUS WIRED - - PTR

DEFAULT (If no match found) QUAR

First match (permissions cannot be merged)

Discrete columns per condition element

Authorization profiles may be combined in Rule results

Default rule (If no match found)



ACS 5 GUI Navigation Overview

Access Service

building blocks

Service Selection

policy and Access

Service definition


ACS 5: Network Resource Configuration


Network Resources

ACS 4 ACS 5


ACS 4.x Network Device Grouping

Africa-Southern-SouthAfrica-Firewalls

Africa-Southern-SouthAfrica-Switches

Africa-Southern-SouthAfrica-Routers

Africa-Southern-Namibia-Firewalls

Africa-Southern-Namibia-Switches

Africa-Southern-Namibia-Routers

Africa-Southern-Botswana-Firewalls

Africa-Southern-Botswana-Switches

Africa-Southern-Botswana-Routers

Flat ACS 4 device grouping


Powerful ACS 5 Device Grouping

All Devices

Routers:

Router1

Router2

Switches:

Switch1

Switch2

Device Type Hierarchy

All Devices

Africa Devices

SouthAfricaDevices:

Router2

Switch2

Location Hierarchy

Asia Devices

SouthernDevices

ACS 5 multiple device

hierarchies

Single attribute to reference all

Southern African devices

Combinenodes in policy to

reference device

intersection


Network Devices With Multiple Group Assignment

Adding devices to device groups


Default Network Device

ACS will use the Default Network Device for AAA

clients that havent been defined in ACS


Using Hierarchical NDGs

NDG:Device Type Access Service

VPN Conc Remote Access

Wireless Wireless Access

Switch Wired Access

NDG:Device Type Identity Store

VPN Conc OTP

Wireless AD

NDG:DeviceType

NDG: Location

NDG: Vendor

Authorization Profile

VPN Conc West Cisco:IOS IOS privs

VPN Conc East Cisco:XR XR privs

Service Selection

Identity Policy



Network Resources

ACS 5 supports a single device definition for the same RADIUS and TACACS+ client

Change from flat, exclusive, device grouping, to overlapping, multiple, hierarchical grouping

ACS 5.1 supports a Default Network Device

Key Changes


ACS 5: User and Identity Store Configuration


Users and Identity Stores

ACS 4 ACS 5


Identity Policy Result Options

Identity Policy

Identity

Store(s)

For AA

Identity Policy Result

Options

ACS Internal Users/Hosts

Active Directory

LDAP Directories

SecurID/OTP Servers

Certificate Profiles

Identity Store Sequences


Identity Store Sequences Enable Different Identity Stores For AA

This Identity Store

Sequence allows

authentication to an

OTP server, while

an LDAP directory

is queried for

authorization

information

NDG:DeviceType

Identity Store

VPN Conc OTP+LDAP


Hierarchical User Grouping

Hierarchical grouping for ACS internal users -also available in policy


Extensible ACS User Schema

ID Group Location Authorization Profile

IT Networking Campus 1 VLAN=User:VLAN

Custom schema attributes are available as

policy attributes

Yes,

multiple

groups!


External Groups - Mapping Not Required

Group selection is available for LDAPand AD directories

Directory groups selected here

can be used directly in policy

conditions without having to

map them to an ACS group first

LDAP Groups Authorization Profile

iPhoneUsers && Execs

iPhone-Exec ACLs

Yes,

multiple

groups!


Using Directory Attributes

Directory attributes

specified here become

available as conditions

and result values in

access policy

Department Nationality Authorization Profile

Research Namibia VLAN=LDAP:VLAN


Users and Identity Stores

ACS internal users and user-groups are no longer containersof permissions and no longer define access policy

All access policy is rules-based and attribute-driven

ACS no longer requires a user to be assigned to a user-group

External user-groups are attributes that can be used directly in access policy group mapping is no longer required

ACS 5.x internal users provide extensible schema to define user-level attributes that can be used in access policy rules

ACS 5 internal groups are described in a hierarchical tree where each node is a group attribute that can be assigned to an internal user, and therefore be referenced in access policy

Identity Store Sequences are used to combine different identity stores for use in a single authentication/authorization request

Key Changes


ACS 5: Policy Element Configuration


Policy Elements

ACS 4 ACS 5


Date & Time Condition Elements


RADIUS Attributes In Authorization Profiles


Dynamic Authorization ValuesUsing Directory Attributes in Authorization Profiles

The users directory attribute, VLAN, will

be queried for the

VLAN Id to be used

Common Tasks

automatically create

the corresponding

RADIUS attributes

in the authorization

profile


Policy Elements - Conditions and Authorization Profiles

Policy conditions and authorization permissions no longer part of users and user-groups

The ACS 5 model extends the ACS 4 Shared Profile Components concept

All conditions and permissions are defined as reusable components

These reusable components are referenced in the rules-based policy

Key Changes


ACS 5: Access Policy Configuration


Device Administration Scenario

FULL ACCESS

PARTIAL

READ ONLY

SERVER ACCESS

SERVER ACCESS

ACS

replication

Secure auth

mechanisms

Network

Administrators

Backbone

Security

Perimeter

West-APs

East


A Device Admin Access Service

Identity PolicyAuthorization Policy

Access Service


Developing Device Administration Authorization Policy

User Group

Conditions

Multiple Device

Group ConditionsShell and Cmd Set

Authorization Results


ID Group NDG:Loc NDG:Dev

Type

Shell Profile Cmd Sets

IT:Net Admins:

SA:Super Users

Africa:Southern Any Priv Lvl 15 Full

IT:NetAdmins:SA:

Wireless

Africa:Southern Wireless Priv Lvl 15 Full

IT:NetAdmins:SA:

Auditors

Africa:Southern Any Priv Lvl 15 Read-Only


Device Admin Shell Profiles


Directing Enable Authentications


Other Conditions

Identity Information

+Group:Contractor

Group:

Full-TimeEmployee

Group:

Guest

Network Access Scenario

Time and Date

Access Type

Location

Authorization (Controlling Access)

Full Access

Limited Access

Guest/Internet

Deny Access

Quarantine

Track Activity for Compliance

Device Type

802.1x/Infrastructure

Vicky Sanchez

Employee, Marketing

Wireline

3 p.m.

Frank Lee

Guest

Wireless

9 a.m.

Security Camera G/W

Agentless Asset

MAC: F5 AB 8B 65 00 D4

Francois Didier

Consultant

HQStrategyRemote Access

6 p.m.


Creating An Access Service Allowed Protocols

The supported

authentication

protocols are defined

in the access service


Creating An Access Service - Identity Policy


This authorization policy limits

wireless access to engineering

and manager groups.

Users directory VLAN attribute is used to assign the VLAN

Identity policy to authenticate both cert and

password-based auths


Implementing Rules-based Service Selection

A Simple, Protocol-based Service Selection Policy Example

Service Selection

Service selection based on AAA protocol


Cisco Alpha Network Service Selection Policy

RADIUS attributecondition

Condition using the system UseCase

condition for MAB requests

Service Selection


Permission Based On EAP Type


Marketing users get different permissions

based on whether they are using certificates or

passwords for authentication


Identity Store Selection Based On ACS Server


These rules select the LDAP directory based

on the ACS server receiving the request


ACS 5: Deployment and Migration Overview


ACS 5.1 Platform Options

1120/1121 Hardware Appliance

One rack-unit (1RU) Linux-based appliance

VMware Appliance

Complete appliance image for installation on VMware ESX 3.5 or 4.0


ACS 3/4 to 5 Component Mapping3.x/4.x Component 5.1 Option Notes

ACS for Windows VM in VMware ESX or

1120/1121 appliance

There is no ACS 5

Windows option. ACS

5 is an application/OS

bundle that can run in

a VM or supported

appliance.

ACS Solution Engine

(1111, 1112, 1113)

VM in VMware ESX or

1120/1121 appliance

1111/2/3 platforms do

not support ACS 5.x.

4.2 can run on the

1120.

ACS Remote Agent N/A The Remote Agent is

no longer required in

ACS 5.

ACS View 4.0 VM in VMware ESX or

1120/1121 appliance

View functionality is

built-in to ACS 5


Primary

ACS 5.x Configuration Replication Model

Secondaries

Incremental replication Fully synchronization no subset options Automatically triggered on change Flat 2 model no cascading replication Config updates on primary only, except for AAA password updates


ACS Distributed Deployment

Consists of multiple ACSs that are managed together

One Primary and multiple Secondary servers

All ACS instances are identical (run full ACS software version)

Each ACS can play a specific role in the deployment

Incremental replication model

Primary ACS is single point of configuration & to monitor secondary servers

Automatic incremental replication to Secondary servers

ACS

Secondary

ACS

Master

ACS

Secondary

ACS

Secondary

Database

downloadIncremental

Replication


Promoting a Secondary to be a Master

ACS

Secondary

ACS

Master

ACS

Secondary

ACS

Secondary

DB Download

Incremental

Replication

Each secondary could take the role of the master

Secondary promotion to be a master is manual

The master (if not failed) is stopped

Replication is allowed to complete

The promoted secondary notifies all ACS instances

On promotion the secondary interrogates all instances for their replication status

X

Promoted Master


ACS Logging Options

ACS 3.x/4.x ACS 5.1

ACS to ACS

ODBC

RDBMS

Syslog

ACS View 4.0

Syslog

Integrated

View

One ACS 5 server can be designated as a View

log collector

ACS 5.1 View logging db can synchronize with

an external db


ACS 5.1 Identity Stores

Internal users

Active Directory

LDAP directories

One-Time Password (OTP) Servers

RSA SecurID

Others (using RADIUS interface)

RADIUS proxy servers

No ODBC support


ACS Configuration Provisioning

Web-based GUI

CSV file-based updates

GUI and CLI triggered

Web services programmatic interface for password update applications

Use instead of User Changeable Passwords (UCP) in ACS 3.x/4.x


Licensing

License Description

Base Server One per ACS instance

Large Deployment One per ACS deployment when

the network device count (based

on IP address) in ACS exceeds

500. (Configuring the Default

Network Device does contribute to

the device count).


Low-end of ACS 5.1 Performance (Authentications/second)

Auth Types Identity StoresInternal AD LDAP

PAP 500 100 800CHAP 500 500 N/ATACACS+ 400 160 1200MSCHAP 500 300 N/APEAP-MSCHAP 200 100 N/APEAP-GTC 200 100 300EAP-TLS 200 180 270LEAP 330 280 N/AFAST-MSCHAP 120 120 N/AFAST-GTC 130 110 190MAC-Auth Bypass 750 N/A 2000


Performance Notes

Expect up to a 50% performance drop on the log collector ACS

Expect a 10-50% higher authentication performance on the 1121 appliance

Assumes session resume and fast reconnect is enabled where applicable for EAP protocols


Minimum ACS Deployment

Consists of 2 servers

Primary server provides all the configuration, authentication and policy requirements for the network.

Second server used as a backup server.

Replication from primary ACS to secondary ACS to keep the secondary server in synchronization.


Medium Growing ACS Deployment

As the AAA traffic grows, add additional Cisco Secure ACS servers

Consider splitting server functions - the primary server for configuration and log collection only, using the secondary servers for AAA functions.


Larger ACS Deployment

In a large, centralized network consider the use of a load balancer

Dedicated primary and log collector ACS servers


Server Migration Strategy

Establish a primary ACS 5 configuration for testing and then phased production roll out

Maintain existing ACS deployment as a fall-back contingency

In most cases, a one-for-one server replacement is appropriate

Understand the peak authentications rates

Use ACS View System Health alarms to monitor server utilization


Configuration Migration Methods Summary

Approach Notes

Manual

configuration

Necessary for areas such as initial setup tasks and config

areas that dont translate easily from 3.x/4.x. A usefulapproach for learning ACS 5 and for migrating smaller

configurations.

Import tools Good option for migrating large configuration areas that

are available in a CSV file. Easy to manipulate data

Migration

tool

Can analyze 4.1.4/4.2 configs, analyze, report on, and

migrate many configuration areas. Provides config

analysis and transfers config directly to ACS 5. Requires

ACS 4.x Windows lab machine to run the tool.


ACS 5: Configuration Migration Techniques


Configuration Migration Approach

Understand the new ACS 5 configuration and policy model

To create ACS 5 primary server configuration, use a combination of:

Manual configuration

Import tool

Migration tool


Configuration Migration Methods

Required for all migrations

ACS 5 has a new configuration model that doesnt translate directly from previous versions.

Migration and import tools will help to transfer some configuration areas, but other areas will require manual re-configuration

Good option for:

Small configurations

Configurations that dont use internal users

Manual Configuration



ACS 5.1 provides csv file-based configuration update for some configuration areas

Supported config areas

Users, hosts, network devices, identity groups, NDGs, downloadable ACLs, command sets

Good option for:

Config areas that can be created in text files

Pre-4.x configs that cant be upgraded easily

Imports Tools



A utility that analyzes a 4.x configuration, provides an analysis report, and can convert and push configuration to an ACS 5 server

Supported config areasUsers/user groups, devices/device groups, command sets, T+ shell exec attrs, RACs, FAST master key & auth ID

PrerequisitesSource configuration on ACS 4.x

ACS 4.x (Windows) lab machine (to run tool)

Good option:For 4.x migrations with large internal user or device configs

Migration Tool


References and Resources

ACS home page

http://cisco.com/go/acs

Migration Guide

http://cisco.com/go/acs -> Install and Upgrade

Partner forum

https://www.myciscocommunity.com/community/partner/security?view=overview

Customer forum

https://supportforums.cisco.com -> AAA


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Preferred Access points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Dont forget to activate your Cisco Live and Networkers Virtual

account for access to all session

materials, communities, and on-demand

and live activities throughout the year.

Activate your account at any internet

station or visit www.ciscolivevirtual.com.

BRKSEC-2044_PATEL-5

Documents

Transcript of BRKSEC-2044_PATEL-5