Presentation is loading. Please wait.

Presentation is loading. Please wait.

EID Cards and “Identity Based Networking Services” Because “Networks” are an integral part of the total solution. Walter Gillis Account Manager, for Flemish.

Published byStanley Wilcox Modified over 9 years ago

Similar presentations

Presentation on theme: "EID Cards and “Identity Based Networking Services” Because “Networks” are an integral part of the total solution. Walter Gillis Account Manager, for Flemish."— Presentation transcript:

1 eID Cards and “Identity Based Networking Services” Because “Networks” are an integral part of the total solution. Walter Gillis Account Manager, for Flemish Government wgillis@cisco.com GSM.: +32 476 476 006

2 Cisco IBNS - eID The Political - Techn Challenge. Opening-up the “internal network” Align the social infrastructure with the collaborative needs of their “Citizens”. Work, Learn, Play ! Align the social infrastructure with the collaborative needs of their “Citizens”. Work, Learn, Play ! Change from “controlling the flows of info” into “facilitate networks of info”. Change from “controlling the flows of info” into “facilitate networks of info”. Who is sitting next to you and what can you/he do ? Who is sitting next to you and what can you/he do ?

3 Cisco IBNS - eID IBNS in practice. Library. Library.  A wired and/or wireless network is offered to access resources like Internet, Printers, Web- servers, …  Access for “civil servants” is different then for “citizens” :  Citizens only need to have access to Internet, Printers and city web- servers.  Civil Servants can access internal applications by using their eID

4 Cisco IBNS - eID IBNS in practice : Teleworking Teleworking using SSL-VPN’s Teleworking using SSL-VPN’s Citizens ; Citizens ;  Can “authenticate” the user in the eLocket application in stead of the connection by using IBNS with eID. Avoid that unknown neighbor is listening in. Public Servant Public Servant  Can use ALL the internal applications (data/voice) as if @ work.

5 Cisco IBNS - eID …While the Assets Needing to be Protected are Expanding Service Provider/ Internet Teleworker City Hall VPN Head-End Cable Provider 831 Airport Library Partner/Vendor One physical network, must accommodate multiple logical networks (user groups) each with own rules.

6 Cisco IBNS - eID IDENTITY: So, you said MAC Address ? Win 2K & XP allow easy change for MAC addresses MAC address is not an authentication mechanism…

7 Cisco IBNS - eID User Identity Based Network Access Determining “who” gets access and “what” they can do User Based Policies Applied (BW, QoS etc) Campus Network Equivalent to placing a Security Guard at each Switch Port Equivalent to placing a Security Guard at each Switch Port Only Authorized users can get Network Access Only Authorized users can get Network Access Unauthorized users can be placed into “Guest” VLANs Unauthorized users can be placed into “Guest” VLANs Prevents unauthorized APs Prevents unauthorized APs Authorized Users/Devices Unauthorized Users/Devices

8 Cisco IBNS - eID Some IEEE Terminology IEEE Terms Normal People Terms SupplicantClient Authenticator Network Access Device Authentication Server AAA/RADIUS Server

9 Cisco IBNS - eID Wired Access Control Model Client and Switch Talk 802.1xSwitch Speaks to Auth Server Using RADIUS Actual Authentication Conversation Is between Client and Auth Server Using EAP; the Switch Is Just a Middleman, but Is Aware of What’s Going on RADIUS acts as the transport for EAP, from the authenticator (switch) to the authentication server (RADIUS server) RADIUS is also used to carry policy instructions back to the authenticator in the form of AV pairs. RADIUS Header EAP Payload UDP Header IP Header AV Pairs

10 Identity Based Network Services (IBNS) Login Request Login Info Verify Login and Check with Policy DB Login Good! Apply Policies Set port to enable set port vlan 10 VLAN 10 Engineering VLAN Switch applies policies and enables port. Login + Certificate Login Verified CiscoSecure ACS AAA Radius Server 802.1x Authentication Server Active Directory Login and Certificate Services 6500 SeriesAccess Points 4000 Series 3550/2950 Series 802.1x Capable Access Devices 802.1x Capable Client IEEE802.1x + VLANS + VVID + ACL + QoS Active Directory

11 Cisco IBNS - eID Windows Machine Authentication Power Up Load NDIS drivers DHCP Setup Secure Channel to DC Update GPOs Apply Computer GPOs Present GINA (Ctrl-Alt-Del) Login 802.1x Authenticate as Computer What is Machine Authentication? The ability of a Windows workstation to authenticate under it’s own identity, independent of the requirement for an interactive user session. What is it used for? Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows Domain Controllers in order to pull down machine group policies. Why do we care? Pre-802.1x this worked under the assumption that network connectivity was a given. Post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine based group policy model – UNLESS the machine can authenticate using its own identity in 802.1x.

12 Cisco IBNS - eID Campus Identity - Supplicants Possible End-Points : Windows XP – Yes Windows 2000 – Yes (SP3 + KB) Linux – Yes HP-UX – Yes Solaris - Yes HP Printers – Yes Windows 98 – Limited Windows NT4 – Limited Apple – yes IP Phones – yes WLAN APs – yes …. Windows HP Jet Direct Solaris7920Apple IP Phones WLAN APs Pocket PC

13 Cisco IBNS - eID Cisco IBNS Features and Benefits Enhanced Port Based Access Control Enhanced Port Based Access Control Greater flexibility and mobility for a stratified user community Greater flexibility and mobility for a stratified user community Enhanced User Productivity Enhanced User Productivity Added support for converged VoIP networks Added support for converged VoIP networks Centralized Management with Cisco Secure ACS Wireless Mobility with 802.1X and EAP Authentication Types Catalyst Switch Portfolio Basic 802.1X Support 802.1X with VLANs 802.1X with Port Security 802.1X with VVID 802.1X Guest VLANs 802.1X with ACLs High Availability for 802.1X High Availability for Port Security

14 Cisco IBNS - eID RADIUS/ TACACS+ Authentication, Limited authorization AAA ClientAAA serverUnknown User DB End User Client Cisco Secure ACS in a Nutshell Pervasive identity networking solution and centralized secure user/admin AAA experience for Cisco intelligent information networks End User ClientAAA client Cisco Secure ACS User DB PAP, CHAP, MSCHAP (dial, VPN) LEAP (Wireless) EAP-MD5, EAP-TLS, PEAP (802.1X for Wired and Wireless LAN) Windows 98, ME, NT4, 2000, XP, MAC, Linux… CSDB NT/AD NDS LDAP ODBC OTP RADIUS proxy AS53xx/AS54xx (dial) DSL, VoIP, Cable CE/CDM (Content) IOS routers PIX/VPN Wireless (aironet) 2950/3550/4x00/6500 (Catalyst) VMS, HSE, WSLE (Cisco Works)… Windows 2000 Windows Server 2003 1RU Appliance

15 Cisco IBNS - eID ACS and IBNS Benefits 802.1X and Cisco Secure ACS provide RADIUS-based user authentication, authorization and accounting: 802.1X and Cisco Secure ACS provide RADIUS-based user authentication, authorization and accounting: User authentication flexibility: User authentication flexibility: EAP provides extensibility around different authentication types (EAP-MD5, EAP-TLS, PEAP, LEAP) EAP provides extensibility around different authentication types (EAP-MD5, EAP-TLS, PEAP, LEAP) User authorization rules: User authorization rules: Time-of-day, day-of-week restrictions, user and group quotas, maximum sessions, switch access filters, and per user VLAN assignments Time-of-day, day-of-week restrictions, user and group quotas, maximum sessions, switch access filters, and per user VLAN assignments User accounting and auditing: User accounting and auditing: Complete user logging, including a logged-in user list, detailing session length, IP and MAC addresses, and also failed login attempts Complete user logging, including a logged-in user list, detailing session length, IP and MAC addresses, and also failed login attempts

16 Cisco IBNS - eID16 © 2002, Cisco Systems, Inc. All rights reserved.

Download ppt "EID Cards and “Identity Based Networking Services” Because “Networks” are an integral part of the total solution. Walter Gillis Account Manager, for Flemish."

Similar presentations

Authentication.

Authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
The Cable Guys Inc. Drew Leach Tom McLoughlin Philip Mauldin Bill Smith.

The Cable Guys Inc. Drew Leach Tom McLoughlin Philip Mauldin Bill Smith.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer.

Company LOGO WIRELESS DEPLOYMENT A successful solution to Campuswide role-based secure Wi-Fi deployment Andrea Di Fabio – Information Security Officer.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.

Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.

Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Similar presentations

Ads by Google