Introduction to Cisco IBNS

Cisco IBNS can be deployed on an end-to-end Cisco network, which includes components such as Cisco Catalyst switches, wireless LAN (WLAN) devices (such as wireless access points and controllers), and a RADIUS server (such as a Cisco Secure Access Control Server [ACS]).

However, for a client to directly benefit from IBNS, the client operating system needs to support IEEE 802.1x. Fortunately, many modern operating systems (such as Microsoft Windows Vista) support 802.1x. For greater scalability, an IBNS solution might operate in conjunction with a Public Key Infrastructure (PKI). Here X.509 certificates are issued to validate a host's identity and to provide the host's public key to any other device that wants to securely communicate with that host. Figure 6-13 shows a Cisco IBNS-enabled network. Notice that the authenticated user receives an IP address from one address pool, and the nonauthenticated user receives an IP address from a different address pool.

Figure 6-13 Cisco IBNS Network Example

DHCP Server

Figure 6-13 Cisco IBNS Network Example

DHCP Server

192.168.2.10/24 DHCP Server IP Address Pools

Pool

Address Space

Authenticated

192.168.1.0/24

Nonauthenticated

192.168.2.0/24

Benefits of a Cisco IBNS-enabled network include the following:

■ Cisco IBNS can authenticate individual users and/or devices.

■ After authentication, a user's or device's permission on the network can be controlled by a configured policy.

■ Using 802.1x, Cisco Catalyst switches can permit or deny access to the network at the switch port level.

■ After users or devices are initially granted access to the network, additional policies can limit access to specified network resources.

■ Cisco IP phones can operate in an IBNS network.

NOTE Cisco IP Phones can be recognized via Cisco Discovery Protocol (CDP).

■ Cisco IBNS supports multiple authentication types, including EAP-MD5, PEAP, and

To illustrate the operation of IBNS, consider Figure 6-14, which shows a PC that boots up and wants to connect to a network. On many networks, a PC sends a DHCP request to obtain an IP address for use on the network. However, with IBNS, an 802.1x-enabled PC initially sends an Extensible Authentication Protocol over LAN (EAPOL) request. The Cisco Catalyst switch connected to the PC sees the EAPOL request and responds to the PC with a challenge. The challenge asks the PC to provide credentials for network access, such as a valid username and password combination. The switch forwards these credentials to a RADIUS server for verification. Upon verification of the supplied credentials, the switch grants the PC access to the network.

Figure 6-14 IEEE 802.1x Port-Based Access Control

EAP-TLS.

RADIUS Server

802.1x-Enabled Switch

RADIUS Server

Step 7: Switch Allows PC to Access the Network

Step 5: RADIUS Server Checks Validity of Credentials

Step 1: EAPOL Frame

Step 2: Request for Credentials

Step 3: Credentials

Step 4: Credentials Sent to RADIUS Server

Step 6: RADIUS Server

Validates Credentials

0 0

Post a comment