Concepts of Cisco IBNS in Action

Authorized User

Authorized User

Corporate Resources

Unauthorized External Wireless User

Corporate Resources

Unauthorized External Wireless User

© 2007 Cisco Systems, Inc. All rights reserved.

Cisco IBNS is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. The Cisco IBNS solution enables greater security while simultaneously offering cost-effective management of changes throughout the organization.

Cisco IBNS provides the network with the following services and capabilities:

■ User or device authentication, or both

■ Mapping the identity of a network entity to a defined set of policies configured by management

■ Granting or denying network access, at the port level, based on configured authorization policies

■ Enforcement of additional policies, such as resource access, when access is granted

These capabilities are introduced when a Cisco end-to-end system is implemented with the Cisco Catalyst Family of switches, wireless LAN access points and controllers, and Cisco ACS. Additional components of the system include an IEEE 802.1x compliant client OS, such as Microsoft Windows XP, and an optional X.509 public key infrastructure (PKI) certificate architecture. Cisco IP phones also interoperate with an identity-based networking system based on IEEE 802.1x when deployed on a Cisco end-to-end infrastructure.

2-70 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 © 2007 Cisco Systems, Inc.

With 8021x, you can set up two different DHCP pools, you can assign addresses in one address range (for example the 10.0.0.0 network) to devices that can authenticate properly, and for a device that doesn't offer the right credentials, you can assign them an address in another address range (for example the 192.168.0.0 network) dynamically.

When a teleworker starts up or connects the PC on the home LAN, the PC usually first requests its network identity (IP address) and other needed information from a DHCP server; for PCs enabled for 802.1X, the first request is an Extensible Authentication Protocol over LAN (EAPOL) request.

When the access device (such as a Cisco switch) sees this request, it challenges the PC, which responds with the appropriate credentials (userid and password for example). The switch checks with the AAA server across the VPN to authenticate the user's credentials via RADIUS; if the teleworker logs in successfully, the PC is provided a network address and other information via DHCP on a subnet which allow access to the enterprise via the switch.

If a PC is not 802.1X capable, or the user does not log in successfully, the PC will be provided a network address on a subnet that only allows Internet access.

The following are access control using 802.1X authentication feature advantages:

■ User is prompted upon PC start up or plug-in to the LAN; web access to a protected site to initiate challenge is not required (as in Authentication Proxy)

■ The IP phone can be automatically allowed through the VPN; CDP is used for IP phone discovery

■ A separate address range for spouse-and-child PCs allows for standardized addressing and access control, and a smaller enterprise addressable subnet for each teleworker home

■ The teleworker can still communicate with non-enterprise PCs, print servers, and the like, if permitted—allowing for sharing between all home workstations

■ Multiple authentication types are supported, including two-way authentication and the use of certificates, as permitted in the 802.1X standard; EAP-MD5, PEAP, and EAP-TLS are among the supported authentication methods

■ PCs with static IP addresses in the enterprise addressable subnet cannot access the VPN until 802.1X authentication occurs; this reduces rogue access

■ Any wireless PC (teleworker, spouse, child, or rogue) by default cannot gain enterprise access; this reduces rogue access

© 2007 Cisco Systems, Inc. Trust and Identity 2-71

0 0

Post a comment