eID Cards eID Cards and “Identity Based and “Identity Based Networking Services”Networking Services”

Because “Networks” are an integral Because “Networks” are an integral part of the total solution.part of the total solution.

Walter GillisAccount Manager, for Flemish Governmentwgillis@cisco.comGSM.: +32 476 476 006

Cisco IBNS - eID

The Political - Techn Challenge.The Political - Techn Challenge.Opening-up the “internal network”Opening-up the “internal network”

Align the social infrastructure Align the social infrastructure with the collaborative needs of with the collaborative needs of their “Citizens”. their “Citizens”. Work, Learn, Play !Work, Learn, Play !

ChangeChange from from “controlling the flows of info” “controlling the flows of info”

into into “facilitate networks of “facilitate networks of info”.info”.

Who is sitting next to you and Who is sitting next to you and what can you/he do ?what can you/he do ?

Cisco IBNS - eID

IBNS in practice.IBNS in practice.

Library. Library. A wired and/or wireless network A wired and/or wireless network

is offered to access resources is offered to access resources like Internet, Printers, Web-like Internet, Printers, Web-servers, …servers, …

Access for “civil servants” is Access for “civil servants” is different then for “citizens” :different then for “citizens” : Citizens only need to have access Citizens only need to have access

to Internet, Printers and city web-to Internet, Printers and city web-servers.servers.

Civil Servants can access internal Civil Servants can access internal applications by using their eIDapplications by using their eID

Cisco IBNS - eID

IBNS in practice : IBNS in practice : TeleworkingTeleworking

Teleworking using SSL-VPN’sTeleworking using SSL-VPN’s Citizens ;Citizens ;

Can “authenticate” the user in the Can “authenticate” the user in the eLocket application in stead of the eLocket application in stead of the connection by using IBNS with eID. connection by using IBNS with eID. Avoid that unknown neighbor is Avoid that unknown neighbor is listening in.listening in.

Public ServantPublic Servant Can use ALL the internal Can use ALL the internal

applications (data/voice) as if @ applications (data/voice) as if @ work. work.

Cisco IBNS - eID

……While the Assets Needing to While the Assets Needing to be Protected are Expandingbe Protected are Expanding

Service Provider/Internet

Teleworker

City Hall

VPNHead-End

CableProvider

831

AirportLibrary

Partner/Vendor

One physical network, must accommodate multiple logical networks (user groups) each with own rules.

Cisco IBNS - eID

IDENTITY:IDENTITY:So, you said MAC Address ? So, you said MAC Address ?

Win 2K & XP Win 2K & XP allow easy allow easy change for MAC change for MAC addressesaddresses

MAC address is MAC address is not an not an authentication authentication mechanism…mechanism…

Cisco IBNS - eID

User Identity BasedNetwork Access

Determining “who” gets access Determining “who” gets access and “what” they can doand “what” they can do

User Based Policies Applied(BW, QoS etc)

Campus Network

Equivalent to placing a Security Guard at each Switch PortEquivalent to placing a Security Guard at each Switch Port Only Authorized users can get Network AccessOnly Authorized users can get Network Access Unauthorized users can be placed into “Guest” VLANsUnauthorized users can be placed into “Guest” VLANs Prevents unauthorized APsPrevents unauthorized APs

AuthorizedUsers/Devices

UnauthorizedUsers/Devices

Cisco IBNS - eID

Some IEEE TerminologySome IEEE Terminology

IEEE TermsIEEE Terms Normal People Normal People TermsTerms

SupplicantSupplicant ClientClient

AuthenticatorAuthenticator Network Access DeviceNetwork Access Device

Authentication ServerAuthentication Server AAA/RADIUS ServerAAA/RADIUS Server

Cisco IBNS - eID

Wired Access Control Wired Access Control ModelModel

Client and Switch Talk 802.1x Switch Speaks to Auth Server Using RADIUS

Actual Authentication Conversation Is between Client and Auth Server Using EAP;the Switch Is Just a Middleman, but Is Aware of What’s Going on

• RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server)

•RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs.

RADIUS Header EAP PayloadUDP HeaderUDP HeaderIP HeaderIP Header AV Pairs

Identity Based Network Identity Based Network Services (IBNS)Services (IBNS)

Login Request

Login Info

Verify Login and Check with Policy DB

Login Good!Apply Policies

• Set port to enable• set port vlan 10

VLAN 10

Engineering VLAN

Switch applies policies and enables port.

Login + Certificate

Login Verified

CiscoSecure ACS

AAA Radius Server

802.1x Authentication Server

Active Directory

Login and Certificate Services

6500 Series Access Points

4000 Series

3550/2950 Series

802.1x Capable Access Devices

802.1x Capable ClientIEEE802.1x+ VLANS+ VVID+ ACL+ QoS

Active Directory

Cisco IBNS - eID

Campus Identity - Campus Identity - SupplicantsSupplicants

• Possible End-Points : Windows XP – YesWindows 2000 – Yes (SP3 + KB)Linux – YesHP-UX – YesSolaris - YesHP Printers – YesWindows 98 – LimitedWindows NT4 – LimitedApple – yesIP Phones – yesWLAN APs – yes….

Windows HP Jet Direct

Solaris 7920 Apple

IP Phones WLAN APsPocket PC

Cisco IBNS - eID

Cisco IBNSCisco IBNS Features and Features and BenefitsBenefits

Enhanced Port Based Enhanced Port Based Access ControlAccess Control

Greater flexibility and Greater flexibility and mobility for a mobility for a stratified user stratified user communitycommunity

Enhanced User Enhanced User ProductivityProductivity

Added support for Added support for converged VoIP converged VoIP networksnetworks

• Centralized Management with Cisco Secure ACS

• Wireless Mobility with 802.1X and EAP Authentication Types

• Catalyst Switch Portfolio

• Basic 802.1X Support

• 802.1X with VLANs

• 802.1X with Port Security

• 802.1X with VVID

• 802.1X Guest VLANs

• 802.1X with ACLs

• High Availability for 802.1X

• High Availability for Port Security

Cisco IBNS - eID

RADIUS/TACACS+

Authentication,Limited

authorization

AAA Client AAA server Unknown User DBEnd User Client

Cisco Secure ACS in a Cisco Secure ACS in a NutshellNutshell

Pervasive identity networking solution and centralized secure user/admin AAA experience for

Cisco intelligent information networksEnd User Client AAA client Cisco Secure ACS User DB

PAP, CHAP, MSCHAP (dial, VPN)

LEAP (Wireless)

EAP-MD5, EAP-TLS, PEAP (802.1X for Wired and Wireless LAN)

Windows 98, ME, NT4, 2000, XP, MAC, Linux…

CSDB

NT/AD

NDS

LDAP

ODBC

OTP

RADIUS proxy

AS53xx/AS54xx (dial)

DSL, VoIP, Cable

CE/CDM (Content)

IOS routers

PIX/VPN

Wireless (aironet)

2950/3550/4x00/6500 (Catalyst)

VMS, HSE, WSLE (Cisco Works)…

Windows 2000

Windows Server 2003

1RU Appliance

Cisco IBNS - eID 161616© 2002, Cisco Systems, Inc. All rights reserved.