1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust & Identity Internet Technologies Division

2 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Agenda IBNS & 802.1x 802.1x Components 802.1x Markets 802.1x Customers 802.1x Target Platforms 802.1x in Cisco IOS Cisco IOS 802.1x Roadmap

3 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Identity-Based Networking Services and 802.1x 802.1x is a key component of Identity-Based Networking Services (IBNS) Identifying who can access what information in the network IBNS has predominantly been focused on switches

4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID User Identity Based Network Access User Based Policies Applied (BW, QoS etc) Campus Network Equivalent to placing a security guard at each switch port Only authorized users can get network access Unauthorized users can be placed into “Guest” VLANs Prevents unauthorized Access Points Authorized Users/Devices Unauthorized Users/Devices Cisco Embedded Security with IBNS

5 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID IBNS Benefits Improve flexibility and mobility for users Strengthen security for network connectivity, services, and applications Increase user productivity and lower operating costs Combine authentication, access control and user profiles IBNS combines authentication, access control and user profiles

6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Client-server based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports Key technology in IBNS for authentication & access control Standard set by the IEEE working group. Standard link layer protocol used for transporting higher- level authentication protocols Works between the supplicant (client) and the authenticator (network device) Maintains backend communication to an authentication (RADIUS) server 802.1x

7 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID IEEE 802.1x Authentication Server x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports User activates link (ie: turns on the PC) 2 Switch requests authentication server if user is authorized to access LAN 3 4 Authentication server responds with authority access Switch opens controlled port (if authorized) for user to access LAN

8 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID IEEE 802.1x Components Authenticator PAE (Switch or Router) Supplicant PAE (Port Access Entity) EAPOL Extensible Authentication Protocol over LAN Authentication Server

9 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID How Does 802.1x Work? Controlled Un-Controlled For each 802.1x switch port, the switch creates TWO virtual access points at each port Uncontrolled port provides a path for Extensible Authentication Protocol over LAN (EAPOL) traffic ONLY The controlled port is open only when the device connected to the port has been authorized by 802.1x EAPOL

10 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Header EAP Payload What Does 802.1x Do? Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads Authenticator (switch or router) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information Three forms of EAP are specified in the standard EAP-MD5 – MD5 Hashed Username/Password EAP-OTP – One-Time Passwords EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL)

11 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Identity and Security Authentication Who can access the network and services? Authorization What is the user allowed? Access Control Control is based on authentication and authorization Policy enforcement Combining authentication, authorization, and access control to enforce enterprise/SP policies

12 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Key 802.1x Functions/Building Blocks 802.1x Authenticator Controls access to Layer 2 resources Mechanisms to grant access Authorization policy from AAA/Radius/ACS 802.1x Supplicant Provides client capability Computers, routers, switches, PDAs, IP phones 802.1x Mutual authentication Client and server authentication Support for EAP transport

13 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Benefits Uses standards-based technology to control network access Extends authentication to other security areas Authorization, access control, and policy enforcement Controls exercised at link layer, so all services riding on it can use link layer services Interoperates in wired, wireless, & switching scenarios Reduces overall IT costs by preventing external and internal threats Enables and performs centralized user administration

14 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Markets and Applications SOHO/Telecommuter Enterprise Wired Wireless Remote access Service provider Metro Ethernet Wireless

15 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Service Provider VPN Tunnel Corporate user Personal user Difficult to prevent unauthorized “home users” from accessing corporate network No prevention of rogue wireless access points Today’s Enterprise Barriers – “Spouse and Kids Problem” SOHO / Telecommuter

16 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID VPN Tunnel Corporate user Uses Tunnel Personal user Straight to Internet Prevents unauthorized users from accessing corporate network Identifies IP phone, identifies the policy, and uses the Corporate VPN tunnel Identifies individual wireless access points, applies the policy, and enables authorized users to access the VPN tunnel Cisco IOS® Software 802.1x Phase 1 addresses all of these issues Service Provider 802.1x Integration SOHO / Telecommuter (Cont.)

17 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID POP CE Authentication by SP (Optional UNI Feature) PE-CLE Authentication by SP Supplicant PAE Metro Ethernet x

18 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID SOHO / Telecommuter Customers ABB Intel Verizon Home Depot

19 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Metro Ethernet Customers Time Warner Verizon Swisscom SBC Telecom Italia Bell Canada AT&T Sprint Bell South EDDI Cox Cable Reliance FastwEB NTT

20 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Target Platforms Access Routers Cisco 800 – 3700 Series Routers Metro Ethernet hardware Cisco 2750, 3550, and Congo Routers Cisco Catalyst ® 4500 and 6500 Series Switches Cisco 7600, 10000, and Series Internet Routers

21 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Cisco Catalyst 6500 Series Switch Cisco Catalyst 4000 and 4500 Series Switches Cisco ACS Server Cisco Catalyst 2950, 3550, 3750 Routers Cisco Aironet Cisco Products with 802.1x

22 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Cisco Catalyst 6500 Series Support Basic 802.1X Support 802.1X with VLANs 802.1X with Port Security 802.1X with VVID 802.1X Guest VLANs 802.1X with ACLs High Availability for 802.1X High Availability for Port Security Cisco Catalyst Switch portfolio

23 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x in Cisco IOS Software Control who is allowed access earlier and sooner in the stack by building authentication at link layer (Layer 2) Use standards-based 802.1x technology so it is easier to interoperate with switches and wireless access points Extend 802.1x services to leverage other identity and security services Address SOHO/Telecommuters, wired and wireless Enterprise, and Service Provider markets

24 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x in Cisco IOS Software (Cont.) Build common 802.1x features to address the basic building blocks (Release 12.3T) Authenticator Supplicant EAP transport capability for different hashing types Mutual authentication Port common functionality to Release 12.2S and derivatives All supported hardware must add unique 802.1x functionality

25 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Roadmap Phase Summary Phase 1 Authenticator Phase 2 Supplicant Mutual authentication Phase 3 Metro Ethernet market Phase 4 Wireless iEdge

26 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x authenticator support in Cisco IOS Software MAC based authentication Static DHCP address pools Default authorization policy Split tunneling Multi-auth support Stealth deployment 802.1x Phase 1 Release 12.3(4)T

27 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x supplicant support in Cisco IOS Software Mutual authentication Support for EAP transport EAP MD5 EAP TLS Policy enforcement to include user access restrictions 802.1x Phase 2 Target: Release 12.3(5th)T

28 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Phase 3 Target: Release 12.2(Rls6)S Addresses Metro Ethernet market segment Common feature code from Phase 2 Hardware-specific feature code and test strategies will be determined with hardware teams Metro Ethernet Platforms Cisco 2750, 3750, Congo, 6500, and 7600 Series

29 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Phase 3.1 Target: Release 12.2(Rls7)S Add additional hardware products for the Metro Ethernet market segment New hardware products will be supported: Cisco 4500 Series Switch Cisco and Series Internet Routers

30 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Radius Proxy IP Phone Monitoring and management 802.1x MIB Scalability and high availability 802.1x Phase 4 Target: Release 12.3(6 th )T

31 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x Phase 5 Target: Release 12.3(7 th )T Interoperability with wireless access points Antibody iEdge interoperability

32 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID References Ian Foo: Slide presentation at brown-bag lunch Ken Hook: IBNS launch Eric Voit: Metro Ethernet slide presentation Eric Marin: Slide presentation

33 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 33 © 2003 Cisco Systems, Inc. All rights reserved x Overview, 11/03