+ All Categories
Home > Documents > 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved....

0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved....

Date post: 08-Jul-2020
Category:
Upload: others
View: 3 times
Download: 0 times
Share this document with a friend
99
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1 !"#$%"&' (")$*+, - ./0 #, ")#"-1 %"&12. 3%,4$561)451 )71#,%55 +%581#1#59 $1:#"&";52. !"#$%&%' ("%)&#* +%+,-&*./ %*0-*-'-12*+3"4,#*,
Transcript
Page 1: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1

!"#$%"&' (")$*+, - ./0 #, ")#"-1 %"&12. 3%,4$561)451 )71#,%55 +%581#1#59 $1:#"&";52.

!"#$%&%' ("%)&#* +%+,-&*./ %*0-*-'-12*+3"4,#*,

Page 2: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

52$-'0#*%- •  <=>"% Cisco TrustSec •  01$1-,9 5(1#$5?54,759 •  @-$"%5>,759 5 +%581#1#51 +"&5$54

•  A1&")$#")$' 5 4"#?5(1#75,&'#")$' (,##B:

•  C+%,-&1#51 TrustSec. CiscoWorks LMS 4.0

•  <=>"% #"-B: -1%)52 %1D1#52 Cisco (&9 4"#$%"&9 )1$1-";" (")$*+, Cisco NAC, Cisco ACS, NAC Guest, NAC Profiler

Page 3: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

3

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IP-4,81%, !"%+"%,$5-#B2 %1)*%) MAC: F5 AB 8B 65 00 D4 E"*$=*4

!"%+"%,$5-#B2 %1)*%) .,="%,$"%59 11 *$%,

F,%59 05("%"-, 0"$%*(#54 HR 3%"-"(#"2 (")$*+ 11-00

3%5#$1% E14"%+"%,$5-#B2 ,4$5- MAC: B2 CF 81 A4 02 D7

IP $1&1?"# G/W !"%+"%,$5-#B2 ,4$5- G5#,#)"-B2 (1+,%$,81#$ 11:00 -161%,

01%;12 H,&,>"- 4"#$%,4$#54 IT 3%"-"(#"1 +"(4&I61#51 10 *$%,

@##, 31$%"-, )"$%*(#54 CEO C(,&1##B2 (")$*+ 10 -161%,

!,$9 J*4"-)4,9 )"$%*(#54 R&D WiFi 14:00 (#9

@#$"# @&8,>"- 4"#)*&'$,#$ A1#$%,&'#B2 "?5) C(,&1##B2 (")$*+ 6:00 -161%,

/54$"%59 !,$1%#I4 0"$%*(#54 3%"-"(#"2 (")$*+ 15-00

!"#?5(1#75,&'#B1 %1)*%)B 01$', *)$%"2)$-, 5 3%5&"K1#59

F#"K1)$-" 81$"("- (")$*+, L,>#B1 *)$%"2)$-,, %,>#B1 81)$,

!+- *-2)62$%&2 12*,'2"%'27#,4

5-82$*9: :%*#&%;-+1#9 +'-$# $2+,3<#

3"&'>"-,$1&5 5 *)$%"2)$-, 0"$%*(#545, !"#$%,4$#545, M1&1?"#B, 3%5#$1%BN

Page 4: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

4

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!#0*2+,4 <2"%,%1%

=#>%,# +'-$. 12&&3*%1#?%/

/ *)&"-59: %,>8B$59 ;%,#57 )1$5 #1"=:"(58" 4"#$%"&5%"-,$' (")$*+ 4 %1)*%),8

@)-+<-;-*%- +22,7-,+,7%9 0""$-1$)$-51 )$%";58 4"%+"%,$5-#B8, ;")*(,%)$-1##B8 5 %1;*&9$"%#B8 $%1="-,#598

A7-"%;-*%- )-B2<#+*2+,% <=1)+161#51 )""$-1$)$-59 +"&5$541 (&9 +"&'>"-,$1&12 5 *)$%"2)$- -,K#" (&9 OH

Page 5: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

5

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Cisco TrustSec

TrustSec - >"#$56#,9 ,%:5$14$*%, (&9 *-1&561#59 =1>"+,)#")$5 4,8+*)#"2 )1$5 5 (,$,71#$%,. 3"8";,1$ 4"8+,#598 >,P5$5$' )1$', (,##B1 5 %1)*%)B ) +"8"P'I: •  $1:#"&";52 )1$1-"2 5(1#$5?54,755 •  $1:#"&";52 4"#$%"&9 (")$*+, #, ")#"-1 +"&5$54 5 +"&'>"-,$1&')45: %"&12

•  ("+"&#5$1&'#B1 )1%-5)B (&9 >,P5$B (")$*+, 5 )%1(B +1%1(,65

Page 6: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

6

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

C"D;-7.- E3*1?%% Cisco TrustSec

C2*,'2"4 $2+,3<# *# 2+*27- <2"%,%1

!  3")$"9#)$-" +"&5$54 (&9 +"&'>"-,$1&12 5 *)$%"2)$-

!  !"#$%"&' (")$*+, #, ")#"-1 +"&'>"-,$1&')45: %"&12 ( RBAC)

!  L,)+%1(1&1##"1 -#1(%1#51

!  E1>,-5)58B2 "$ )1$1-"2 $"+"&";55 4"#$%"&' (")$*+, ) +"8"P'I Security Group Access Control (SGAC)

5-,-7#9 %$-*,%E%1#?%9

!  !"#$%"&' ")#"-,##B2 #, 5(1#$5?54,75"##"2 5#?"%8,755 5 ,$%5=*$,: (-%189, 81)$", 81$"( (")$*+,)

!  3"((1%K4, Cisco Medianet 5 QoS (&9 +%5&"K1#52 ,))"755%"-,##B: ) +"&'>"-,$1&')4585 %"&985

:2<2"*%,-"4*.- +-'7%+.

!  Q")$1-"2 (")$*+ ! <71#4, )")$"9#59 *)$%"2)$- 5 5: )""$-1$)$-59 +"&5$541 =1>"+,)#")$5

!  3%"?5&5%"-,#51 *)$%"2)$- =1> ,;1#$"-

! R5?%"-,#51 4,#,&, (,##B: #, =,>1 )$,#(,%$, IEEE 802.1AE

Page 7: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

7

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

S"+"&#5$1&'#B1 )1%-5)B

@-$"%5>,759

O(1#$5?54,759 @*$1#$5?54,759

ACL

802.1X 802.1X

802.1X-REV MAB WebAuth

F2"%,%1#

VLAN

O#$1;%,759 ) UC

G'6%,-1,3'# Cisco TrustSec. 5-,-7.- +"30). %$-*,%E%1#?% (IBNS) )

Page 8: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

8

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

S"+"&#5$1&'#B1 )1%-5)B

@-$"%5>,759

O(1#$5?54,759 @*$1#$5?54,759

ACL

<71#4, )")$"9#59 *)$%"2)$-,

NAC (In-band,

Out-of-band) MAB WebAuth

F2"%,%1#

3%"?5&5%"--,#51

*)$%"2)$-

VLAN

Q")$1-"2 (")$*+

G'6%,-1,3'# Cisco TrustSec. C2*,'2"4 $2+,3<# 7 +-,4 (NAC) )

Page 9: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

9

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

S"+"&#5$1&'#B1 )1%-5)B

@-$"%5>,759

O(1#$5?54,759 @*$1#$5?54,759

ACL

802.1X

<71#4, )")$"9#59 *)$%"2)$-,

NAC (In-band,

Out-of-band)

802.1X 802.1X-REV MAB WebAuth

F2"%,%1#

Security Group Tagging

3%"?5&5%"--,#51

*)$%"2)$-

VLAN

MACSec O#$1;%,759 ) UC

Q")$1-"2 (")$*+

G'6%,-1,3'# Cisco TrustSec. )

Page 10: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

10

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Cisco TrustSec: C2*,'2"4 +-,-7282 $2+,3<# *# 2+*27- 802.1X

Q")$1-B1 +"&'>"-,$1&5

01$1-B1 *)$%"2)$-,

NAC Guest

NAC Profiler

ACS

802.1X

T,P5P,18B1 %1)*%)B

H!5

IP M1&1?"#B

3%"$"4"& *+%,-&1#59: RADIUS

!"#$%"&&1% H./0

0,+&54,#$

!,$,&"; +"&'>"-,$1&12

!"88*$,$"%B Cisco® Catalyst®

3"&'>"-,$1&5, :")$B

!"88*$,$"% Nexus® 7000

Web

MAC

Page 11: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

11

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Cisco TrustSec: C2*,'2"4 +-,-7282 $2+,3<# *# 2+*27- NAC Appliance

Q")$1-B1 +"&'>"-,$1&5

T,P5P,18B1 %1)*%)B

H!5 IP M1&1?"#B NAC Manager

NAC Server

3%"$"4"& *+%,-&1#59: SNMP

!"#$%"&&1% H./0

NAC Agent

NAC Guest

NAC Profiler

!,$,&"; +"&'>"-,$1&12

!"88*$,$"%B Cisco® Catalyst®

01$1-B1 *)$%"2)$-,

3"&'>"-,$1&5, :")$B

Web

MAC

Page 12: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

12

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

5'#7*-*%- 802.1X % NAC Appliance I-J-*%- Cisco *# 2+*27- 802.1X

I-J-*%- *# 2+*27- NAC Appliance

M%1=*1$)9 &5 ,;1#$ 5&5 ),+&54,#$?

S,, (&9 802.1X. E1$, (&9 Web ,*$1#$5?54,755

S,, (&9 "71#45 )")$"9#59. E1$, (&9 Web ,*$1#$5?54,755

O(1#$5?54,759/@-$"%5>,759 S, S,

!"#$%"&' )""$-1$)$-59 *)$%"2)$- +"&5$541

E1$ S,

<$%,)&1-"2 )$,#(,%$ S, E1$

3"((1%K4, (&9 *)$%"2)$- =1> 802.1X

S, ( MAB) S,

3"((1%K4, *)$%"2)$- =1> ,;1#$"-

S,: NAC Profiler S,: NAC Profiler

3"((1%K4, 8,D5##"2 ,*$1#$5?54,755

S, E1$

3"((1%K4, ;")$1-";" (")$*+, S, S,

3%"$"4"& *+%,-&1#59 RADIUS SNMP

Page 13: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID

01$1-,9 5(1#$5?54,759

Page 14: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

14

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

5-,-7#9 %$-*,%E%1#?%9 *# 2+*27- Cisco 802.1X (Identity-Based Networking Services - IBNS)

!  @*$1#$5?54,759 IEEE802.1X (&9 +"&'>"-,$1&12 5 *)$%"2)$-

<)#"-,##,9 #, )$,#(,%$,:, ,*$1#$5?54,759 #, -$"%"8 *%"-#1 #, +"%$* (&9 +"&'>"-,$1&12 5 *)$%"2)$-

!  <=:"( ,*$1#$5?54,755 +" MAC-,(%1),8 (MAB) C)$%"2)$-, =1> 802.1X 8";*$ =B$' ,*$1#$5?575%"-,#B 5)+"&'>*9 MAB (MAC authentication bypass)

!  WEB ,*$1#$5?54,759 Q")$1-B1 +"&'>"-,$1&5 8";*$ 5)+"&'>"-,$' ,*$1#$5?54,75I 61%1> web +"%$,& (&9 -%181##";" (")$*+, - )1$'

Page 15: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

15

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

5-,-72/ <2', + 802.1X

!.8"9$%, ,#1 0- 1#1 % )-B 802.16

?

SWITCHPORT

F2+"- #3,-*,%E%1#?%% !  3"-BD,1$)9 *%"-1#' =1>"+,)#")$5 !  E,)$%"24, +"%$, (VLAN, ACL, QoS) !  G,4$ (")$*+, >,?54)5%"-,#

@*$1#$5?575%"-,##B2 +"&'>"-,$1&'

Page 16: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

16

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Cisco TrustSec Flexible Authentication

Q5=4,9 ,*$1#$5?54,759 +">-"&91$: !  O)+"&'>"-,$' $%5 %,>&56#B: 81$"(, ,*$1#$5?54,755:

802.1X (&9 *)$%"2)$- ) ),+&54,#$,85

MAC Authentication Bypass (MAB) Web Authentication (O89/+,%"&')

E,)$%"24, #, +"%$ / &I="2 4"8=5#,755 / &I="8 +"%9(41

!  U$" *81#'D,1$ )1$1-B: OpEx : – 3"((1%K4, 4"%+"%,$5-#B: +"&'>"-,$1&12, *)$%"2)$- 5 ;")$1-B: +"&'>"-,$1&12 #, "(#"8 +"%$* – 3"&'>"-,$1&5/*)$%"2)$-, 8";*$ )-"="(#" +1%181P,$')9 - )1$5 =1> +1%1#,)$%"245 "="%*("-,#59

Page 17: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

17

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

C#1 '#)2,#-, Flexible Authentication

802.1X MAB Web Auth

S")$*+#B1 81$"(B #, +"%$*

802.1X MAB Web Auth

3"%9("4 +" *8"&6,#5I @*$1#$5?54,759 )"$%*(#54,

802.1X MAB Web Auth

C)$%"2)$-, =1> ),+&54,#$,, V,)$56#B2 (")$*+ (" 802.1x ,*$1#$5?54,755, VIP

MAB Web Auth /1=-,*$1#$5?54,759

3"%9("4 81$"("- 3%5"%5$1$ 81$"("- S12)$-59 - )&*6,1 #1*(,65

1.

2.

3.

Page 18: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

18

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

SWITCHPORT

VM

802.1X Multi-Authentication

K-+12"412 MAC *# <2',3 !"#$%"&' ) 5)+"&'>"-,#518 MAC (&9 4,K(";" *)$%"2)$-,: !  802.1X 5&5 MAB

E1>,-5)58B2 4"#$%"&' (")$*+, #, +"%$* (&9 4,K(";" MAC ) +"8"P'I >,;%*K,18";" ACL (dACL)

Page 19: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

19

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Hubs 3rd Party IP Phones

Legacy Cisco IP Phones

3%"81K*$"6#"1 *)$%"2)$-" +")1%1(5#1

PC Movement

F'2&-03,2;*.- +-,-7.- 3+,'2/+,7#

Identity Enabled Networks

• 3%"=&18"2 )1$1-"2 ,*$1#$5?54,755 9-&91$)9 "$)*$)$-51 5#?"%8,755 " )")$"9#55 *)$%"2)$-, +"(4&I61##";" - +"%$ 4"88*$,$"%, #1 #,+%98*I, , 61%1> #1*+%,-&918B2 4"88*$,$"%/:,=, $1&1?"##B2 ,++,%,$

• FB #1 8"K18 >,?54)5%"-,$' ?,4$ "$4&I61#59 *)$%"2)$-,

• /">8"K#")$' +1%181P1#59 $,45: *)$%"2)$- 81K(* +"%$,85 4"88*$,$"%, 5&5 -">8"K#")$' )+*?5#;, ,*$1#$5?575%"-,##";" *)$%"2)$-, )">(,1$ *;%">* =1>"+,)#")$5

Page 20: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

20

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

=#>%,# 2, <2$$-"4*.6 +-,-7.6 3+,'2/+,7: Network Edge Access Topology (NEAT)

1.  L,)D5%91$ ("-1%51 #, 4"#?1%1#7 4"8#,$B, :"&&B 5 =&12(-)5)$18B

2.  S1&,1$ =1>"+,)#B8 4"#$%"&' *)$%"2)$- - "=P1(")$*+#B: 81)$,:

Authorized Remove MAC per

notifications

Port Status

Authorized Only Allow MAC of

Auth’d Host

!"#"$% &'("# Authorized

)*+,-./001/ MAC (#2(/3/01

Port Status Authorized

MAC 4'55$"#"'(# (#2(/3/0

!"#"$% &'("#

Wall Jack in Conf Room

Wiring Closet Switch

6$"/0"7874#7, 4'55$"#"'(#

!"#"$% &'("#

Un-Authorized

Machine Auth

!"#"$% &'("#

Un- Authorized

)*+,-./07/ MAC #$"/0". 9'%"#

:;#./07/ MAC &' "#<5'$"$ 7.7 '"4.=>/07= .704#

• )"4.=>/07/ • Power down • Or Logoff

?'5&#4"01< 4'55$"#"'(

AAA

Campus LAN

Page 21: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

21

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IP-,-"-E2*%9. Multidomain Authentication (MDA)

1.  MDA %,>(1&91$ ,*$1#$5?54,75"##B2 ("81# (&9 (,##B: (3!) 5 ;"&"), (IP $1&1?"#)

2.  MDA +"((1%K5-,1$ 802.1X 5&5 MAB (&9 "="5: ("81#"- ,*$1#$5?54,755, (&9 ;"&"), 5 (,##B:

3.  3"((1%K5-,1$ 4,4 Cisco IP $1&1?"#B, $,4 5 )$"%"##51 IP $1&1?"#B

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

Voice

Data

S-, ("81#, #, +"%$

802.1q

M1&1?"#B ,*$1#$5?575%*I$)9 - ;"&")"-"8 ("81#1, M1;5%*I$ $%,?54 - ;"&")"-"8 VLAN

3! ,*$1#$5?575%*1$)9 - ("81#1 (,##B:, E1$1;5%"-,##B2 $%,?54 - VLAN (&9 (,##B:

Page 22: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

22

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

I-J-*%- 802.1X + IP-,-"-E2*%9 C2*,'2"4 <2',#: L'% '-J-*%9

22

EAPoL-Logoff

L,="$,1$ $"&'4" ) 802.1X *)$%"2)$-,85 5

"+%1(1&1##B85 $1&1?"#,85*

01))59 "=#*&91$)9 )%,>* +")B&4"2 EAPoL-Logoff

PC-A @,1"D;#-,+9

PC-B F2$1"D;#-,+9 Dot1x Logon

Required

Proxy EAPoL-Logoff

802.1x/MAB Inactivity Timeout

E14"$"%B8 *)$%"2)$-,8 8"K1$ +"#,("=5$')9 +"-$"%#,9

,*$1#$5?54,759

W)$' -">8"K#")$' +"(4&I61#59 (" 5)$161#59 $,281%, 5 "65)$45

)1))55 PC-A @,1"D;#-,+9

PC-B F2$1"D;#-,+9 Auth

Required

SSCA

CDP 2nd Port Notification CDP Link Down

PC-A @,1"D;#-,+9

PC-B F2$1"D;#-,+9 Auth

Required

SSCA

01))59 "=#*&91$)9 )%,>* +")B&4"2 CDP Link Down

"  I#)2,#-, + MAB, 802.1X, % Webauth.

"  K- ,'-)3-, *#+,'2/1%

SSCA SSCB

SSCB

SSCB

Page 23: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

23

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!*-$'-*%- TrustSec % IP Telephony: "3;J%- <'#1,%1%

3rd Gen phone • X.509 cert support • firmware 8.5(2)

Catalyst switch • 12.2(50)SE3 (2k, 3k) • 12.2(52)SG (4k) • 12.2(33)SXI (6K)

ACS version 5.x CUCM 7.1.2 7 -13/

EAP-TLS CDP 2nd Port

802.1X with MDA CDP 2nd Port Monitor/Low Impact “Touchless” EAP-

TLS Remote 802.1X Enable

Cisco TrustSec +%1(")$,-&91$ #,5="&11 +"&#*I )"-81)$58")$' IP $1&1?"#"- ) 802.1: - 5#(*)$%55:

#  Cisco IP $1&1?"#B 581I$ -)$%"1##B2 ),+&54,#$, +"((1%K5-,IP52 EAP-MD5, EAP-FAST 5 EAP-TLS 5 +%1(5#)$,&&5%"-,##B1 75?%"-B1 )1%$5?54,$B (MIC), 4"$"%B1 8"K#" 5)+"&'>"-,$' (&9 802.1x 5(1#$5?54,755

#  802.1x 8"K1$ ,4$5-5%"-,$')9 #, $1&1?"##"8 ,++,%,$1 71#$%,&5>"-,#" ) +"8"P'I CUCM -1%)55 7.1.2 5 -BD1

#  3%"$1)$5%"-,##B2 )71#,%52 “=1>4"#$,4$#"2” #,)$%"245 802.1x ) $1&1?"#512 "+5),# #, cisco.com

Page 24: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID

@-$"%5>,759 5 +%581#1#51 +"&5$545 - )1$5

Page 25: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

25

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

I#B"%;*.- &-6#*%B&. #7,2'%B#?%%

!  TrustSec +%1(")$,-&91$ %,>&56#B1 81:,#5>8B ,-$"%5>,755 (&9 "=1)+161#59 +"&5$545

!  M%5 ")#"-#B: 81:,#5>8, %,>;%,#561#51 (")$*+,: 3%5)-"1#51 VLAN – Ingress 3%5)-"1#51 dACL – Ingress O)+"&'>"-,#51 Security Group ACL (SGACL) – Egress

!  M%5 %,>#B1 8"(1&5 -#1(%1#59 %,>;%,#561#59 (")$*+,: <$4%B$B2 %1K58 (Monitor Mode) <;%,#561##B2 %1K58 (Low Impact Mode) H1>"+,)#B2 %1K58 (High-Security Mode)

Page 26: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

26

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

K#B*#;-*%- VLAN – <"D+. % &%*3+.

+ 0,8B2 +%")$"2 )+")"= )1;81#$,755 $%,?54,

+ H"&'D5#)$-" -1#("%"- +"((1%K5-,I$ (5#,8561)4"1 +%5)-"1#51 ,(%1)"- (RFC3580)

- E1"=:"(58" )">(,-,$' #"-B1 VLAN

- E"-B2 VLAN = E"-,9 IP-+"()1$'

- S5#,8561)4"1 5>81#1#51 VLAN ">#,6,1$ (5#,8561)4"1 5>81#1#51 ,(%1),

- C+%,-&1#51 8#"K1)$-"8 ACL #, 4,K("8 L3 5#$1%?12)1 )&"K#" (&9 ="&'D5: )1$12

Page 27: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

27

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

=#8'30#-&.- ACL - <"D+. % &%*3+.

+ ACLs *+%,-&9I$)9 71#$%,&5>"-,#" 5 +%581#9I$)9 (&9 (,##";" IP-,(%1), 5)$"6#54, (+"&'>"-,$1&')4";" *)$%"2)$-,) + E1 #*K#" *4,>B-,$' ,(%1) *)$%"2)$-, - ACL + .*6D1 8,)D$,=5%*I$)9 618 per-user ACL (="&'D1 ACEs - RADIUS VSA) + S&9 #14"$"%B: )1%-5)"- ($,45: 4,4 PXE Boot 5&5 Wake-On-LAN) -">8"K#" "$4%B-,$' (")$*+ 1P1 (" +%":"K(1#59 ,*$1#$5?54,755 ) +"8"P'I 5#$1%?12)#";" ACL - O>81#1#59 ,(%1), +"&*6,$1&9 (Destination IP) #*K#" "$%,K,$' -" -)1: ACE - /">8"K#" +1%1+"&#1#51 ,++,%,$#B: %1)*%)"- 4"88*$,$"%, - )&*6,1 ="&'D";" 4"&561)$-, )$%"614 +%,-5& ?5&'$%,755 ACE

Page 28: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

28

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

M2$-"% '-#"%B#?%% <2"%,%1%

!  M%,(575"##B2 %1K58 -#1(%1#59 802.1x ()-B2<#+*./ '-0%&) +%1(+"&,;,1$ "$)*$)$-51 (")$*+, - )1$' (" ,*$1#$5?54,755.

!  3")&1 ,*$1#$5?54,755 (")$*+ - )1$' "$4%B-,1$)9 5 +%"5):"(5$ #,>#,61#51 VLAN 5 5&5 >,;%*>4, ACL("+75"#,&'#")

!  3"&#"1 "$)*$)$-51 )1$1-";" (")$*+, (" ,*$1#$5?54,755 5&5 +")&1 #1*)+1D#"2 ,*$1#$5?54,755 #1;,$5-#" -&591$ #, %,="$* )1%-5)"-:

•  DHCP, ->,58"(12)$-51 OS (KRB5, LDAP, DNS, ;%*++"-B1 +"&5$545 AD (Group Policy Object), +%"$"4"& PXE (&9 >,;%*>45 <0, WoL (&9 *+%,-&1#59 3< 5 +,$6,85

•  E1K1&,$1&'#"1 9-&1#51 #, X$,+1 -#1(%1#59

<;%,#561##B2 %1K58

H1>"+,)#B2 %1K58

I-0%&. '-#"%B#?%% TrustSec <2&28#D, <'-$2,7'#,%,4 <'2)"-&. 7*-$'-*%9 802.1X

<$4%B$B2 %1K58

Page 29: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

29

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!"#$ RADIUS %&'(")*+,-./* 01203' (+003': !  4)%'503'/0'1)%'503' +1*'0*$6$7+8$$

802.1X/EAP – 9%$)"7 ,+-$(03: 802.1x 7-$'0*", – 9%$)"7 0' ,+-$(03: 802.1x 7-$'0*",

!  4)%'503'/0'1)%'503' +1*'0*$6$7+8$$ MAB – 9%$)"7 ,+-$(03: MAC", – 9%$)"7 0' ,+-$(03: MAC",

802.1X/MAB – Open Mode

3<LM

Open Mode ()-B 28'#*%;-*%/)

!  /1)' $%,?54 %,>%1D1# !  @*$1#$5?54,759 +"-+%1K#18* %,="$,1$

!  3"((1%K5-,1$)9 (&9 802.1X 5 MAB

Page 30: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

30

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

<)$,&'#"2 $%,?54 =&"45%*1$)9 (" *)+1D#"2 ,*$1#$5?54,755 802.1X,

MAB, 5&5 Web ,*$1#$5?54,755

ACL "$4%B-,1$ #1"=:"(58B1 TCP/UDP

+"%$B

!.)2'2;*2 2,1'.,./ $2+,3<

!  Open Mode +&I) %,>%1D1#59 ACL +" *8"&6,#5I

–  E, "+%1(1&1##B1 TCP/UDP +"%$B

–  E, "+%1(1&1##B1 ,(%1),

!#'%#*, 12*,'2"9 2. @8'#*%;-**./ '-0%& C2*,'2"4 $2+,3<# + ACL

Page 31: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

31

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!#'%#*, 12*,'2"9 2. @8'#*%;-**./ '-0%& C2*,'2"4 $2+,3<# + ACL

3<LM

F2+"- #3,-*,%E%1#?%% !  T,;%*K,18B1 dACL +1%1+5)B-,I$ )*P1)$-*IP52 ACL #, +"%$*

!  3%1(")$,-&91$ +"&#B2 (5&5 ";%,#561##B2) (")$*+

Page 32: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

32

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

C2*,'2"4 $2+,3<# *# 762$-

802.1X/MAB/Web Auth

K#B*#;-*%- VLAN / VRF

=#8'3B1# dACL

•  F";* &5 9 )">(,-,$' 5 *+%,-&9$' VLANs 5 IP ,(%1)#B8 +*&"8? •  !,4 "=%,=,$B-,1$)9 "=#"-&1#51 DHCP - #"-"2 )1$5 ? •  !,458 "=%,>"8 9 *+%,-&9I ACLs #, VLAN 5#$1%?12)1? •  L,="$,I$ &5 $,451 +%"$"4"&B 4,4 PXE 5&5 WOL ) #,>#,61#518

VLAN? •  /&59#51 #, )*88,%5>,75I 8,%D%*$"-?

•  !$" =*(1$ "=)&*K5-,$' ACL? •  V$" 1)&5 8"5 IP ,(%1), #,>#,61#59 5>81#9$)9? •  F"2 4"88*$,$"% 5811$ (")$,$"6#" +,89$5 TCAM (&9 "=%,="$45 -)1: >,+%")"-?

M%,(575"##B1 81$"(B 4"#$%"&9 (")$*+, 581I$ #14"$"%B1 +%"=&18B +%5 -#1(%1#55:

– M%1=*1$)9 (1$,&'#B2 (5>,2# +1%1( -#1(%1#518, 5#,61N

– E1 #,)$"&'4" ;5=451 4,4 $%1=*1$)9 (&9 =5>#1),

– !"#$%"&' (")$*+, 8"K1$ +"$%1="-,$' %1(5>,2#, -)12 )1$5

Page 33: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

33

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

C2*,'2"4 $2+,3<# *# 7.62$- + %+<2"4B27#*%-& 8'3<< )-B2<#+*2+,% Security Group

!"#$%"&' (")$*+, ")#"-,##B2 #, Q%*++,: H1>"+,)#")$5 +">-"&91$ >,4,>654,8:

– 0":%,#9$' )*P1)$-*IP52 &";561)452 (5>,2# #, *%"-#1 (")$*+,

– O>81#9$' / +%581#9$' +"&5$54* (&9 )""$-1$)$-59 $14*P58 =5>#1)-$%1="-,#5985

– L,)+%1(1&9$' +"&5$54* ) 71#$%,&'#";" )1%-1%, *+%,-&1#59

SGACL

802.1X/MAB/Web Auth.

N%*#*+.(SGT=4)

C#$'.(SGT=10)

O 12*,'#1,2' M29 8'3<<# (L

C2*,'#1,2' & (L

SGT = 100

SGT = 100

Page 34: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

34

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F'%&-*-*%- SGT % SGACL !  A*%1#"4*#9 &-,1# 16 bit (65K) +%5)-,5-,1$)9 1#0$2/ '2"%

!  3%1()$,-&91$ <'%7%"-8%% <2"4B27#,-"9, 3+,'2/+,7# %"% +3)P-1,#

!  L-8%'27#*%- *# 762$- - ("81# TrustSec

SGACL SG

Security Group

Tag

!  N%"4,'#?%9 <2 &-,1#& (SGACL) *# 7.62$- %B $2&-*# TrustSec ("=B6#" - A<S1)

!  F'#7%"# )-B IP-#$'-+27 (IP ,(%1) +%5-9>,# 4 81$41)

!  3"&5$54, (ACL) is '#+<'-$-"9-,+9 2, ?-*,'#"4*282 +-'7-'# <2"%,%1 (ACS) 5&5 #,)$%,5-,1$)9 &"4,&'#" #, *)$%"2)$-1 TrustSec

!  <=1)+165-,1$ +"&5$545 #1>,-5)58B1 "$ $"+"&";55

!  Q5=451 5 8,)D$,=5%*18B1 +"&5$545 ")#"-,##B1 #, %"&5 +"&'>"-,$1&9

!  Q-*,'#"%B27#**2- 3<'#7"-*%- <2"%,%1#&% (&9 (5#,8561)4";" -#1(%1#59 +%,-5&

!  O):"(9P,9 ?5&'$%,759 -1(1$ 4 *81#'D1#5I #,;%*>45 *# TCAM

F'-%&3>-+,7#

Page 35: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

35

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

5?-*#'%/: +-,4 &-$%?%*+1282 3;'-0$-*%9

F2"4B27#,-"% 5-'7-'# Security Group

((+,2;*%1) Security Group (K#B*#;-*%-)

Doctor (SGT 7)

Staff (SGT 11)

Guest (SGT 15)

IT Admin (SGT 5)

SGACL

Medical DB (SGT 10)

Internal Portal (SGT 9)

Public Portal (SGT 8)

IT Portal (SGT 4)

100 x

5 x

145 x

150 x

x 15

x 5

x 5

x 5

Page 36: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

36

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

M#,'%?# <2"%,%1 SGACL C#1 SGACL 3<'2>#D, 12*,'2"4 $2+,3<#

S"4$"%, (SGT 7)

IT ,(85#B (SGT 5)

IT Portal (SGT 4)

Public Portal (SGT 8)

Internal Portal (SGT 9)

Patient Record DB (SGT 10)

F1$4, #,>#,61#59

F1$4, 5)$"6#54,

Web Web No Access Web File Share

Web SSH RDP

File Share

Web SSH RDP

File Share

Full Access SSH RDP

File Share

permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 445 deny ip

IT Maintenance ACL

Page 37: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

37

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

REE-1,%7*2+,4 SGACL 7 '-#"4*.6 3+"27%96 400 +"&'>"-,$1&12 +"&*6,I$ (")$*+ 4 30 )1$1-B8 %1)*%),8 ) 4 $5+,85 +"&#"8"652 (&9 4,K(";" %1)*%), M%,(575"##B2 ACL #, FW =1> ?5&'$%,755 5)$"6#54,

Any (src) * 30 (dst) * 4 permission = 120 ACEs

M%,(575"##B2 ACL #, 5#$1%?12)1 VLAN – 5)+"&'>*9 ?5&'$%,75I +" +"()1$98 5)$"6#54, $%,?54,

4 VLANs (src) * 30 (dst) * 4 permission = 480 ACEs

0 $1:#"&";512 SGACL 4 SGT (src) * 4 SGT (dst) * 4 permission = 64 ACEs

G5&'$%,759 #, +"%$* ) +"8"P'I Downloadable ACL

1 Group (src) * 30 (dst) * 4 permission = 120 ACEs

400 (src) * 30 (dst) * 4 permission = 48 000 ACEs

M%,(575"##B2 ACL #, FW ) ?5&'$%,7512 +" 5)$"6#54*

Page 38: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

38

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Security Group based Access Control C#1 S,2 '#)2,#-,

IT Portal (SGT 4)

Agent-less Device

Active Directory

Catalyst® 3750-X

3"&'>"-,$1&5, *)$%"2)$-,

Campus Network

Nexus® 7000 Nexus® 7000

SXP

Catalyst® 4948 ACS v5.2 802.1X

MAB

LWA

Public Portal (SGT 8) Internal Portal (SGT 9)

Patient Record DB (SGT 10) Doctor (SGT 7) IT Admin (SGT 5)

VLAN100

VLAN200

E1$1;5%"-,##B1 ?%128B

M1;5%"-,##B1 ?%128B

SGT=7

1

2 3

4 5

1.  C)$%"2)$-" +"(4&I6,1$)9 4 )1$5 2.  !"88*$,$"% (")$*+, ,*$1#$5?575%*1$ +"&'>"-,$1&9 5 +%5)-,5-,1$ 81$4* SGT 3.  SXP +1%1(,1$ $,=&57B IP-to-SGT #, N7K 4.  C)$%"2)$-" ) +"((1%K4"2 SGT (N7K) +%5#58,1$ +,41$B 5 *)$,#,-&5-,1$ SGT 5.  C)$%"2)$-" ) +"((1%K4"2 SGT (N7K) ?5&'$%*1$ +,41$B, ")#"-B-,9c' #, SGT

Page 39: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID

A1&")$#")$' 5 4"#?5(1#75,&'#")$' (,##B:

Page 40: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

40

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 40 40

&^*RTW#(*J^*&*sd#J$%UJ&(

C2*E%$-*?%#"4*2+,4 % ?-"2+,*2+,4 T-B2<#+*2+,4 <3,% <-'-$#;% $#**.6 + MACSec

• <=1)+165-,1$ D5?%"-,#51“X4-5-,&1#$ WLAN / VPN” (128bit AES GCM) (&9 LAN +"(4&I61#52

• R5?%"-,#51 #, ")#"-1 )$,#(,%$, (IEEE802.1AE) + *+%,-&1#51 4&I6,85 +" )$,#(,%$* (IEEE802.1X-2010/MKA)

• 3">-"&91$ +%"-"(5$' ,*(5$ 5 "=1)+165-,$' )1%-5)B =1>"+,)#")$5

Media Access Control Security (MACSec) 5&5 LinkSec

802.1X

0,++&54,#$ ) MACSec

Q")$'

CC)$%"2)$-, ) +"((1%K4"2

MACSec

&^*RTW#(*J^*&*sd#J$%UJWD&(

S,##B1 +1%1)B&,I$)9 "$4%B$"

MACSec 4,#,&

T,D5?%"-,$' L,>D5?%"-,$' @*$1#$5?575%"-,##B2 +"&'>"-,$1&'

Page 41: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

41

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 41 41

L-13>#9 <2$$-'01# MACSec MACSec #, *%"-#1 (")$*+,

!  Catalyst® 3750X/3560X (4&51#$)451 +"%$B)

!  M%1=*1$)9 Cisco IOS® 12.2 (53)SE2

!  802.1X-REV (MKA) (&9 *+%,-&1#59 4&I6,85 –  T,816,#51: / #,)$"9P11 -%189 MACSec #1 +"((1%K5-,1$)9 #, ,+&5#4,: Cat3750-X

MACSec (&9 5#?%,)$%*4$*%B !  Nexus® 7000 )1%59 DC-4"88*$,$"%"-

!  3"((1%K4, &5#12#B: 4,%$ 1GbE/10GbE

!  M%1=*1$)9 NX-OS 5.0(2)a

!  SAP (Cisco Protocol) (&9 *+%,-&1#59 4&I6,85

T,816,#51: SAP + MKA $%1=*I$ ACS -1%)55 5.1 5&5 ="&11 +">(#12. SAP 5811$ "+75I )$,$561)4"2 #,)$%"245 4&I612 #, 5#$1%?12)1 Nexus 7000. / #,)$"9P11 -%189 , MACSec/MKA +"((1%K5-,1$)9 $"&'4" #, *%"-#1 (")$*+,, 5 MACSec/SAP +"((1%K5-,1$)9 (&9 5#?%,)$%*4$*%#B: >,(,6. / =*(*P18 +"((1%K4, MACSec/MKA ()$,#(,%$,) =*(1$ "=1)+165-,$')9 -1>(1.

Page 42: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

42

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 42 42

AnyConnect 3.0 $"9 MACSec

AnyConnect 3.0 "=1)+165-,1$ ! C#5?575"-,##B2 5#$1%?12) (")$*+, (&9 SSL-VPN, IPSec 5 802.1X - LAN / WLAN

! 3"((1%K4, MACSec / MKA (802.1X-REV) (&9 +%";%,88#";" D5?%"-,#59 (c4"%")$' >,-5)5$ "$ 8"P#")$5)

! O)+"&'>"-,#51 MACSec )"-81)$58";" HW()1$1-B: 4,%$) *-1&565-,1$ +%"5>-"(5$1&'#")$' AnyConnect 3.0

@++,%,$#,9 +"((1%K4, MACSec: Intel 82576 Gigabit Ethernet Controller Intel 82599 10 Gigabit Ethernet Controller Intel ICH10 - Q45 Express Chipset (1Gbe LOM) (Dell, Lenova, Fujitsu 5 HP +%"5>-"(9$ %,="651 )$,#755 ) *4,>,##B85 )1$1-B85 4,%$,85.)

Page 43: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID

C+%,-&1#51 TrustSec. CiscoWorks LMS 4.0

Page 44: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

44

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

5%+,-&# CiscoWorks LMS 4.0

WorkCenter C2*E%83'#?%9 M2*%,2'%*8 @,;-,*2+,4

EnergyWise Large-scale switch configuration Manage EW domains and policies

Power consumption, Cost savings, policy compliance, alarms & events

Cisco TrustSec™ Large-scale 802.1x Identity deployment Day-N configuration changes

Authorization and authentication success failure trends, login stats

Smart Install Centrally manage Smart Install Directors Manage client switch configuration and sw images

Smart Install-specific LMS job management

Auto Smartports Large-scale ASP deployment and day-N configuration changes Event/trigger management MAC-based group configuration

Auto Smartports-specific LMS job management

!"#71+759 %,="65: 71#$%"- •  *+%,-&1#51 -)18 K5>#1##B8 754&"8 (&9 "+%1(1&1##"2 >,(,65 ($1:#"&";55)

•  "$ "71#45 ;"$"-#")$5 (" -#1(%1#59 5 +"((1%K45

•  C+%"P,1$ 8,)D$,=#B1 -#1(%1#59 $1:#"&";55

Page 45: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

45

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

(*,-8'#?%9 LMS 4.0 % E3*1?%2*#"# TrustSec *# 12&&3,#,2'#6

TrustSec™ Identity Work Center

•  <71#4, ;"$"-#")$5 )1$5 (HW/SW/4"#?5;*%,755) 4 -#1(%1#5I TrustSec

•  E,)$%"24, 4"88*$,$"%"- (Radius, ,-$"%5>,75"##B1 +%"?,2&B #, 5#$1%?12),: 5 *)$%"2)$-,:, -4&I6,9 -)1 #"-B1 "+755 TrustSec)

•  <$61$ +" 4"#?5;*%,7598 TrustSec 5 +"5)4 #15)+%,-#")$12

•  F"#5$"%5#; (,##B: 5(1#$5?54,755 ) +"8"P'I SNMP (,*$1#$5?575%"-,##B1/,-$"%5>5%"-,##B1 +"&'>"-,$1&5, "D5=45 ,*$1#$5?54,755N.)

•  3"%$&1$B 8"#5$"%5#;, )")$"9#59 #, %,="652 )$"& LMS (dashboard)

Page 46: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID

L,)61$ ?5#,#)"-B: 81$%54 -#1(%1#59 TrustSec

Page 47: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

47

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

TrustSec Return On Investment (ROI) 1#"413"9,2'

Page 48: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

48

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

I#+;-, B#,'#, % <2,-'4

Page 49: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

49

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!.72$. •  TrustSec +%1(")$,-&91$ >,4"#61##*I ,%:5$14$*%* (&9

4"#$%"&9 (")$*+,, 4"$"%,9 ":-,$B-,1$ %,>#""=%,>#B1 +"&'>"-,$1&')451 )71#,%55 5 9-&91$)9 &5(1%"8 #, %B#41 NAC +" ?*#475"#,&*

•  TrustSec 5)+"&'>*1$ 8#"K1)$-" ?*#4752 )1$1-"2 5#?%,)$%*4$*%B Cisco, 4"$"%B1 *+%"P,I$ -#1(%1#51 5 +">-"&9I$ ,(,+$5%"-,$')9 4 +"$%1=#")$98 %1,&'#B: ;1$1%";1##B: )1$12

•  A1##")$' TrustSec >,4&I6,1$)9 - +"((1%K41 ="&'D";" 65)&, ("+"&#5$1&'#B: )1%-5)"- (;")$1-"2 (")$*+, +"((1%K4, *)$%"2)$- =1> ,;1#$"-, 81$45 =1>"+,)#")$5 5 D5?%"-,#51), 4"$"%B1 >#,65$1&'#" %,)D5%9I$ =,>"-B2 ?*#475"#,& NAC 5&5 802.1x

•  S,&'#12D58 %,>-5$518 %1D1#52 Cisco TrustSec 9-&91$)9 ="&11 $1)#,9 5#$1;%,759 - 1(5#"2 +&,$?"%81

Page 50: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

50

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!2<'2+. % @,7-,.

Page 51: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

51

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F2"-B*.- ++."1% TrustSec #, ")#"-1 802.1x (&9 4,8+*)#B: )1$12 http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html

Identity-Based Networking Services: /#1(%1#51 IEEE 802.1X http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6638/guide_c07-627531.html

/#1(%1#51 Identity Based Networking Services #, ")#"-1 )71#,%51- http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_C11-530469.html

E,)$%"24, 5 %,>-1%$B-,#51 IP-$1&1?"#55 - )1$9: IEEE 802.1X http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html

!,&'4*&9$"%B ROI (&9 TrustSec http://www.cisco.com/assets/sol/sec/flash/trustsec/pop.html http://www.ciscosecuritynac.com/Cisco_NAC_GOV_ROI_Calculator.xls

Page 52: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

52

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

M. 62,-"% ). 3B*#,4 !#J- &*-*%-

F20#"3/+,#, B#<2"*%,- #*1-,3

Page 53: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 53

<=>"% #"-B: -1%)52 %1D1#52 Cisco (&9 4"#$%"&9 )1$1-";" (")$*+, Cisco NAC, Cisco Secure ACS

!"#$%&%' ("%)&#* +%+,-&*./ %*0-*-'-12*+3"4,#*,

Page 54: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

54

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

52$-'0#*%- •  !"#$%"&' (")$*+, - ./0 #, ")#"-1 %"&12. 3%,4$561)451 )71#,%55 +%581#1#59 $1:#"&";52.

•  3"&5$545 (")$*+, #, ")#"-1 +%,-5&. Cisco Secure ACS 5.x

•  F"(1&' 4"#$%"&9 (")$*+, #, ")#"-1 NAC Appliance

•  3%"?5&5%"-,#51 (")$*+, “#1+"&'>"-,$1&')45:“ *)$%"2)$-

•  Q")$1-"2 (")$*+

Page 55: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID

3"&5$545 (")$*+, #, ")#"-1 +%,-5&. Cisco Secure ACS 5.x

Page 56: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

56

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!#'%#*,. <"#,E2'&. Cisco Access Control System 5.2

1. C)$%"2)$-" Cisco Secure 1121 –  C)$%"2)$-" (1RU) #, ")#"-1 Linux-+"("=#"2 )5)$18"2 (ADE OS) c *K1)$"61##"2 +"&5$54"2 =1>"+,)#")$5

2. VMWare "=%,> –  3%";%,88#"1 +%5&"K1#51 5 <0 Linux (&9 5#)$,&&9755 #, VMware ESX 3.5, 4.0

/1%)59 5.2 +"((1%K5-,1$ FIPS 140-2 Level 1 )1%$5?54,75I

3"((1%K4* SHA-256

3"((1%K4* Internet Explorer 8 (&9 5#$1%?12), ,(85#5)$%,$"%"-

3"((1%K4* Windows 2008 R2 (&9 AD ,*$1#$5?54,755.

Page 57: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

57

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Provision interfaces and tools Posture &

audit protocols

Accounting & Logging Session

State

Policy & Inventory

ACS Runtime

Dev

ice

Pro

toco

ls

Identity interfaces

Cisco Secure Access Control System (ACS)

Report

Interact & Query

Integrate & Enforce

Cisco Secure Access Control System (ACS) 5.x <)"=1##")$5 ,%:5$14$*%B

1.  F"(1&' ?*#475"#5%"-,#59 #, ")#"-1 +%,-5&, (,IP,9 ;5=4")$' +%5 "+%1(1&1#55 +"&5$54

2.  E"-B2 81:,#5>8 5#4%181#$,&'#"2 %1+&54,755, -">8"K#")$' )">(,#59 %,)+%1(1&1##B: -#1(%1#52

3.  C+%"P1##"1 ,(85#5)$%5%"-,#51 >, )61$ "=#"-&1##";" Web GUI, +"9-&1#51 IOS-+"("=#";" CLI 5#$1%?12),

4.  E"-B1 -">8"K#")$5 +" )">(,#5I "$61$"-, %,#11 -:"(5-D51 - "$(1&'#B2 +%"(*4$ Cisco ACS View

5.  3"((1%K4, 51%,%:55 +"&'>"-,$1&12 5 *)$%"2)$- - -#*$%1##12 =,>1 ACS

6.  C&*6D1##,9 5#$1;%,759 ) -#1D#585 =,>,85 (AD, LDAP, SecurID/OTP, Radius Proxy) (&9 5(1#$5?54,755 5 "+%1(1&1#59 +"&5$54

Provision interfaces and tools Posture &

audit protocols

Accounting & Logging Session

State

Policy & Inventory

ACS Runtime

Dev

ice

Pro

toco

ls

Identity interfaces

Provision interfaces and tools

Posture &

audit protocols

Accounting & Logging Session

State

Policy & Inventory

ACS Runtime

Dev

ice

Pro

toco

ls

Identity interfaces

ACS Management

Posture & audit protocols

Reporting & Troubleshooting

Accounting & logging

Policy & Inventory

ACS Runtime

Dev

ice

Prot

ocol

s Identity interfaces

Page 58: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

58

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

+

Access Privilege

Engineering

Human Resources

Finance

Home Access

Deny Access

Guest

Other Conditions

Time and Date

Access Type

Location

T2"-- 8%)1#9 <2"%,%1# + 12*,'2"-& $2+,3<# *# 2+*27- '2"-/

@#$"# @&8,>"- Employee Consultant

/54$"%59 !,$1%#I4 Employee Marketing

@##, 31$%"-, Employee Sales Director

!,K(B2 5811$ )"=)$-1##*I %"&'

O(1#$5?54,75"##,9 5#?"%8,759

Identity: Network Administrator

Identity: Full-Time Employee

Identity: Guest

F,%59 05("%"-, 52,'3$*%1 <!

Page 59: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

59

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F2"%,%1# $"9 +27'-&-**.6 ,'-)27#*%/ )%B*-+#

+

O(1#$5?54,75"##,9 5#?"%8,759

Identity: 01$1-"2 ,(85#

Identity: R$,$#B2 )"$%*(#54

Identity: Q")$'

3%5-5&1;55 (")$*+,

!"#)*&'$,#$

<$(1& 4,(%"-

H*:;,&$1%59

F,%41$5#;

T,+%1$5$'

Q")$'

S%*;51 *)&"-59

/%189 5 (,$,

M5+ (")$*+,

F1)$"+"&"K1#51

Page 60: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

60

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

+

Identity Information

Identity: Network Administrator

Identity: Guest

Identity: Full-Time Employee

I2"4 + 12*,'2"4 $2+,3<# *# 2+*27- <'#7%"#

3%5-5&1;55 (")$*+,

Engineering

Finance

Home Access

Deny Access

Guest

<$(1& 4,(%"-

S%*;51 *)&"-59

Time and Date

Q(1: A<

M5+ (")$*+,: +%"-"(#"2

05("%"-, F. 52,'3$*%1 <!

Page 61: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

61

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

+

Identity Information

Identity: Network Administrator

Identity: Guest

Identity: Full-Time Employee

I2"4 + 12*,'2"4 $2+,3<# *# 2+*27- <'#7%"#

3%5-5&1;55 (")$*+,

Engineering

Finance

Home Access

Guest

Human Resources

S%*;51 *)&"-59

/%189 5 (,$,

Q(1: G5&5,&

M5+ (")$*+,: =1)+%"-"(#"2 T,+%1$5$'

05("%"-, F. 52,'3$*%1 <! /#1 +1%581$%,

Page 62: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

62

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F'%&-' S"-&-*,27 <2"%,%1%

C)&"-59 +"&5$545

Access Type Location Date and Time Network Device Type NAD IP Address EAP Auth Method Authentication Status AD Group LDAP Attributes RADIUS Attribute : :

5%$2'27# M#'%9 L%<: Reg. Employee :2"0*2+,4: Sr. HR Advisor U'3<<#: HR Admin Group @,$-" ID: 240087 L-"-E2*: 495-555-5555 Mail: [email protected]

Page 63: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

63

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F'%&-*-*%- <'#7%" $2+,3<#

1.  @-$"%5>,75"##,9 +"&5$54, )1$1-";" (")$*+, - ACS +%1(")$,-&91$ 8"P#*I 8"(1&' “IF-THEN-ELSE” (&9 %,>%,="$45 ;5=4"2 4"%+"%,$5-#"2 +"&5$545

2.  @-$"%5>,75"##B1 +%"?,2&B +%1(")$,-&9I$ 81$"(B 4"#$%"&9 +"&5$54 #, -:"(1.

3.  Y")$* 8";*$ =B$' #,>#,61#B Security group - $" K1 ),8"1 -%189

F1$"(B ,-$"%5>,755

!  E,>#,61#51 VLAN !  04,65-,#51 dACL !  31%1#,+%,-&1#51 URL !  Security Group ACL

Page 64: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

64

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Cisco ACS M2*%,2'%*8 % <2%+1 *-%+<'#7*2+,-/

3"&#")$'I #,)$%,5-,18B1 +,#1&5 5#)$%*81#$"-

3"(%"=#,9 "$61$#")$'

05;#,&B 5 C-1("8&1#59

!  0$,#(,%$#B1 "$61$B !  R,=&"#B !  E,)$%,5-,18B1 "$61$B

!  E,)$%,5-,18B1 $%5;;1%B

!  05;#,&B 61%1> Email 5&5 Syslog

Page 65: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

65

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F#*-"4 %*+,'3&-*,27 Live Authentication Log

1.  Live Authentication Log +%1(")$,-&91$ =B)$%B2 (")$*+ 4 ,*$1#$5?54,75"##B8 >,+5)98 - %1,&'#"8 8,)D$,=1 -%181#5

2.  S")$*+#B ("+"&#5$1&'#B1 )-1(1#59 " ,*$1#$5?54,755, +%565#B "$4,>,, +"(%"=#,9 +")&1("-,$1&'#")$' +%5#9$59 %1D1#52

Page 66: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

66

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F#*-"4 Live Authentication Log 3%581% +%")8"$%, Log Analysis View :

– <$61$ +" +"&'>"-,$1&')458 ,*$1#$5?54,7598

Page 67: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

67

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

U'3<<%'271# 3+,'2/+,7 % <2"4B27#,-"-/

Africa-Southern-SouthAfrica-Firewalls!

Africa-Southern-SouthAfrica-Switches!

Africa-Southern-SouthAfrica-Routers!

Africa-Southern-Namibia-Firewalls!

Africa-Southern-Namibia-Switches!

Africa-Southern-Namibia-Routers!

Africa-Southern-Botswana-Firewalls!

Africa-Southern-Botswana-Switches!

Africa-Southern-Botswana-Routers!

…!

!+- 3+,'2/+,7#

M#'J3',%B#,2'.: • Router1

• Router2

C2&&3,#,2'.: • Switch1

• Switch2

(-'#'6%9 ,%<27 3+,'2/+,7

!+- 3+,'2/+,7#

Africa Devices

SouthAfrica Devices: • Router2 • Switch2

(-'#'6%9 &-+,2<2"20-*%9

Asia Devices

SouthernDevices

3&")4,9 ;%*++5%"-4, *)$%"2)$- -

ACS 4.x

F#"K1)$-" 51%,%:52 -

ACS 5

Page 68: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

68

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

A+,'2/+,72 (<2"4B27#,-"4) &20-, <'%*#$"-0#,4 *-+12"41%& 8'3<<#&

E,>#,61#51 ;%*++ *)$%"2)$-*

Page 69: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

69

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

M%8'#?%9 + <'-$.$3>%6 7-'+%/ ACS 3%"-1%'$1 ?*#475"#,& ACS - ACS 5.1/5.2 +"((1%K5-,1$ +"(,-&9IP52 #,="% ?*#4752 ACS 4.x http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html

S&9 )">(,#59 4"#?5;*%,755 5)+"&'>*2$1 )&1(*IP51 81$"(B

–  Migration tool (58+"%$5%*1$ 4"#?5;*%,755 ACS 4.x )

–  Import tool (*$5&5$, 58+"%$5%*IP,9 CSV-?,2&B ) 4"#?5;*%,7512) •  Users, hosts, network devices, identity groups, NDGs, downloadable ACLs,

command sets

–  L*6#,9 4"#?5;*%,759

Page 70: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID

F"(1&' 4"#$%"&9 (")$*+, #, ")#"-1 NAC Appliance

Page 71: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

71

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Q")$5

Network-Attached Device

WLC

NAC Guest Server

NAC Profiler Server

Directory Service

Cisco TrustSec NAC Appliance $"9 %*E'#+,'31,3' )-B 802.1X

3"&'>"-,$1&5, *)$%"2)$-,

T,P5P,18B1 %1)*%)B

Campus Network

IP Phones NAC Manager

NAC Server

3%"$"4"& *+%,-&1#59: SNMP

NAC Agent

M"64, +%581#1#59 +"&5$54

Cisco® Catalyst®

Switch

Page 72: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

72

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F'-%&3>-+,7# NAC Appliance

@*$1#$5?54,759 3"&'>"-,$1&12 5 *)$%"2)$- - )1$5

!"#$%"&' +"&5$545 5 11 +%581#1#51 S&9 )""$-1$)$-59 +"&5$541 (")$*+,

3%"-1%45 5 "$61$B !$" - 8"12 )1$5?

S5??1%1#75%"-,##B2 (")$*+ S&9 "%;,#5>,755 %"&1-";" (")$*+, 4 )1$5

Page 73: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

73

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

1.  C2*-;*./ <2"4B27#,-"4 <2$1"D;#-, *23,)31 1 +-,%

F'2?-++ #3,-*,%E%1#?%% % #7,2'%B#?%% NAC : Out-of-Band

3.  V+"% 3+,'2/+,72 *- #3,-*,%E%?%'27#*2 NAC Manager- 2& 2*2 <-'-&->#-,+9 7 “authentication” VLAN.

2.  C2&&3,#,2' J"-, NAC Manager 37-$2&"-*%- 2 *272& MAC

!"8+'I$1% ) NAC Agent

Switch

NAC Manager

NAC Server

Network

VLAN 10

VLAN 110

VLAN 10

Page 74: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

74

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

4.  =#<'#J%7#-,+9 %*E2'&#?%9 2 <2"*2&2;%96 $"9 2<'-$-"-*%9 “'2"%:”

•  NAC Agent <2"3;#-, 2, NAC Server 12&#*$3 <'27-'%,4 +22,7-,+,7%- 2+*27.7#9+4 *# '2"%

5. F'% *-2)62$%&2+,% <'272$%,+9 12''-1?%9 12*E%83'#?%% 12&<4D,-'#

F'2?-++ #3,-*,%E%1#?%% % #7,2'%B#?%% NAC : Out-of-Band

!"8+'I$1% ) NAC Agent

Switch

NAC Manager

NAC Server

VLAN 10

VLAN 10

VLAN 110

VLAN 110

Network Network

Page 75: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

75

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

7.  NAC Server %*E2'&%'3-, NAC Manager ;,2 62+, “+-',%E%?%'27#*” , % NAC Manager $#-, 12&#*$3 12&&3,#,2'3 <2&-+,%,4 <2', 7 “access” VLAN.

8.  K23,)31 <2"3;#-, $2+,3< 7 12'<2'#,%7*3D +-,4

F'2?-++ #3,-*,%E%1#?%% % #7,2'%B#?%% NAC : Out-of-Band

NAC Server

E"*$=*4 NAC Agent

Switch

NAC Manager

VLAN 10

VLAN 10

VLAN 10 Network

VLAN 110

Network

Page 76: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

76

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

NAC #8-*, $"9 "28%*# 7 NAC % 2?-*1% +22,7-,+,7%9

4.

G*#"%B%'3-,+9 +2+,29*%- ($5+B +%"-1%"4 >,-5)9$ "$ +"&'>"-,$1&')4"2 %"&5) @<?%% %+<'#7"-*%9 (%*6#B1 5 ,-$"8,$561)451)

G3,-*,%E%1#?%9 + <2$$-'012/ SSO

Page 77: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

77

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

NAC Appliance 7-)-#3,-*,%E%1#?%9

/1=-,;1#$ (&9 4"#$%,4$"%"- 5 ;")$12 ("=1)+165-,1$ +%"-1%4* )")$"9#59) H%,*>1% (&9 -1=-,*$1#$5?54,755

Page 78: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

78

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!#'%#*,. 7*-$'-*%9 NAC Appliance

1.  3%"-"(#,9 )1$' –  L3 Out-of-Band ) ACL 5&5 VRF

2.  H1)+%"-"(#,9 )1$' –  In-Band 5&5 +"(4&I61#51 L2 Out-of-Band 4 WLC

4"#$%"&1%* 3.  VPN

–  3"(4&I61##B2 - %1K581 In-Band 4 VPN 4"#71#$%,$"%* 5&5 ASA

4.  C)$%"2)$-, (")$*+, )$"%"##5: 4"8+,#52 –  In-Band

Page 79: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

79

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F'-$+,#7"-*%- NAC 4.8

E"-B1 ?*#4755 5 -">8"K#")$5 (&9 +"((1%K45 ="&'D";" 65)&, +"&'>"-,$1&')45: )71#,%51-

!  Out-of-Band Logoff

!  3,))5-#B1 +1%5"(561)451 "71#45 )")$"9#59 (Passive Re-Assessment)

!  C)4"%1#51 "=#"-&1#52 AV/AS

!  3"((1%K4, 8"(*&12 NAC (&9 ISR

!  L,)D5%1##,9 "$61$#")$'

!  NAC Agent ,-$"%5>5%*1$ )1%-1%

!  <;%,#561#51 (")$*+, ,(85#5)$%,$"%"- +" Source IP

NACS

NACM

Auth

Page 80: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

80

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

C#1%& 2)'#B2& 9 <27,2'*2 2?-*%7#D 3+,'2/+,7# <2+"- %6 +-',%E%1#?%% ? 3"-$"%#,9 +,))5-#,9 "71#4, NAC

!  3"((1%K4, ,;1#$"- (&9 Windows 5 MAC !  @;1#$B +"&*6,I$ +"&5$54* +"-$"%#"2 "71#45 "$ )1%-1%, NAC ! 3"&5$545 "+%1(1&9I$)9 #1>,-5)58" (&9 4,K(";" +"&'>"-,$1&9 !  /B 8"K1$1 %,>%1D5$' +"&'>"-,$1&98 +%"("&K5$' %,="$*, *)$%,#5$' #1)""$-1$)$-51 5&5 -B#*(5$' >,-1%D5$' %,="$* failing re-assessments

/B ("&K#B *)$%,#5$'

/B+"&#1#51 $%1="-,#52

NACM NACS 0+5)"4 #1)"$-1$)$-52

M%1="-,#59 4 %"&5

3"&5$54, +,))5-#"2 +"-$"%#"2 "71#45 8"K1$ +%5)-,5-,1$)9 #1>,-5)58" "$ +"&5$545 (&9 &";5#, (+1%-"#,6,&'#";" -:"(, - )5)$18*)

Page 81: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID

O)+"&'>"-,#51 NAC Profiler (&9 4"#$%"&9 (")$*+, *)$%"2)$-

Page 82: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

82

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

NAC Profiler: <'-%&3>-+,7# 3%581% 4,$1;"%52 +%"?5&5%"-,##B:

*)$%"2)$-

IP M1&1?"#B

3%5#$1%,

IP !,81%B

OH3

3! =1> ),+&54,#$"-

Collector Profiler

Non-802.1X Devices On Your Network

NAC Profiler

!"#$

%&'(

#)(

*+#)

,+%)

#-

F'2E%"%'27#*%- 3+,'2/+,7 <=#,%*K1#51 -)1: )1$1-B: *)$%"2)$- +" $5+* 5 81)$"#,:"K(1#5I 3"((1%K4, - %1,&'#"8 -%181#5 5 5)$"%561)45 )$,$*) "=#,%*K1##B: *)$%"2)$-

M2*%,2'%*8 3+,'2/+,7 F"#5$"%5#; )")$"9#59 )1$1-B: *)$%"2)$- <=#,%*K1#51 )"=B$52 ) +"((1&4"2 ,(%1)"-, 5>81#1#51 +"%$"- 5 $.+.

Page 83: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

83

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

F'2E%"%'27#*%-

Profiler collector )"=5%,1$ 5 4"%%1&5%*1$ ,$%5=*$B (&9 5(1#$5?54,755 4"#16#B: *)$%"2)$- . M,458 "=%,>"8 +%"?5&' )")$"5$ 5> #,="%, ,$%5=*$"-.

NAC Profiler Server

Profiler Collector

• CDP • Netflow (IP ,(%1) 5 +"%$)

•  DHCP Vender ID

•  MAC OUI

V$" $,4"1 +%"?5&' $1&1?"#,? / Profiler Server, ,(85#5)$%,$"% "+%1(1&5& “$1&1?"#” 4,4 • MAC OUI = Cisco Systems • CDP ID = SEP00BFDFCD658 • DHCP vendor id = IP phone • M%,?54 = RTP, SIP 5 Skinny

@#$5)+*?5#;: W)&5 “$1&1?"#” #,65#,1$ )&,$' $%,?54 "$&56#B2 "$ ;"&")"-";", $" *)$%"2)$-" #1 =*(1$ ="&11 +%"?5&5%"-,$')9 4,4 $1&1?"#.

Page 84: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

84

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

G,'%)3,. 12*-;*.6 3+,'2/+,7 $"9 2<'-$-"-*%9 <'2E%"9

Layer 2 •  MAC ,(%1)/-1#("%

•  DHCP ,$%5=*$B: – Vendor Class Identifier

– Hostname

– DHCP Options (4 +%581%* "+759 150 (&9 IP phones)

•  C61$#,9 5#?"%8,759 RADIUS

Layer 3-7 •  <$4%B$B1 +"%$B TCP •  M5+ $%,?54, •  M5+ Web User Agents •  0""$-1$)$-51 Web URL •  H,##1%B -)$%"1##";" Web

)1%-1%, •  H,##1%B -)$%"1##";"

SMTP )1%-1%, •  O#?"%8,759 " )1$1-"8

)$141 •  O89 DNS •  CDP •  <+5),#51 SNMP System

Description

Page 85: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

85

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

NAC <'2E%"4 7 %*E'#+,'31,3'- 802.1X The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your

0"=%,##B1 (,##B1 +%" *)$%"2)$-, C+%,-&1#51 5 4"#$%"&'

LDAP Query/LDAP Response

NAC Profiler Server

Cisco Secure ACS

NAC Profiler Collector

NAC Profiler Collector O#$1;%,759 61%1>

LDAP

Page 86: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

86

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

802.1X % Profiler LDAP %*,-8'#?%9

•  Profiler 5#$1;%5%*1$)9 ) ACS 5)+"&'>*9 LDAP (&9 4&,))5?54,755 +" MAC-,(%1),8 MAC Authentication Bypass (MAB).

•  Profiler +1%1(,1$ )&1(*IP*I 5#?"%8,75I - ACS : –  MAC ,(%1) #,2(1##";" *)$%"2)$-, –  E,>-,#51 +%"?5&9

•  Profiler 8"K1$ >,)$,-5$' +"%$ 4"88*$,$"%, +"-$"%#" ,*$1#$5?575%"-,$' *)$%"2)$-"- “+1%1(1%;5-,9” +"%$.

Page 87: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

87

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

NAC Profiler c NAC Appliance

NAC API 5 Direct SQL

01%-1% NAC Profiler

NAC Manager

NAC Server1 w/ NAC Profiler

Collector

NAC Server1 w/ NAC Profiler

Collector

0"=%,##B1 (,##B1 +%" *)$%"2)$-, C+%,-&1#51 & 4"#$%"&'

Page 88: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

88

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

(*,-8'#?%9 + NAC Manager •  /)1 4"#16#B1 *)$%"2)$-, 4&,))5?575%*I$)9 ) +"8"P'I NAC Profiler. Profiler "$?5&'$%"-B-,1$ +%"?5&5%"-,##B1 *)$%"2)$-, 5 +1%1(,1$ 5#?"%8,75I - NAC manager. 0&1(*IP51 (,##B1 +1%1(,I$)9 61%1> NAC Manager API:

– MAC ,(%1) *)$%"2)$-,

–  <+5),#51

–  M5+ (")$*+, (Allow, Deny, Role , Check, Ignore)

•  3%"?,2&1% +%"("&K,1$ 8"#5$"%5$' *)$%"2)$-, (&9 $";" 6$"=B *=1(5$')9, 6$" +%"?5&' #1 5>81#5&)9. W)&5 +%"?5&' 5>81#5&)9 (+"$"8* 6$" *)$%"2)$-" =B&" +"(81#1#"), Profiler 5#?"%85%*1$)9 NAC manager 5 *)$%"2)$-" +1%14&,))5?575%*1$)9.

Page 89: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID

C+%,-&1#51 ;")$1-B8 (")$*+"8

Page 90: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

90

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

@<?%% 3<'#7"-*%9 82+,-7.& $2+,3<2&

M%5 "+755 (&9 *+%,-&1#59 ;")$1-B85 >,+5)985 •  ."4,&'#,9 -1=-,*$1#$5?54,759 #,

4"88*$,$"%1 – O)+"&'>*1$)9 - ")#"-#"8 - #1="&'D5: -#1(%1#59:

– 3%"-"(#"1 +"(4&I61#51

•  A1#$%,&5>"-,##B2 )1%-1% NAC Guest – O)+"&'>*1$)9 (&9 ="&'D5: -#1(%1#52

– 3"((1%K5-,1$)9 +%"-"(#"1 / =1)+%"-"(#"1 +"(4&I61#51

– Q5=451 -">8"K#")$5 -B(,65 ;")$1-B: >,+5)12

•  A1#$%,&5>"-,#" #, Wireless Controller – R5%"4" 5)+"&'>*1$)9, 4";(, ;")$5 +"(4&I6,I$)9 $"&'4" =1)+%"-"(#"

M5+B ;")$1-";" (")$*+,

Group: Contractor

Group: Guest

Page 91: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

91

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Q%1" 3<'#7"-*%9 82+,-7.& $2+,3<2&

./.0.12.310.4

C3L@/.WEOW

C/WS<F.WEOW

<MVWME<0MZ

52B$#*%- 82+,-7282 "28%*#

A<'#7"-*%- 82+,-7.&% "28%*#&%

F'-$2+,#7"-*%- "28%*27 82+,9&

@,;-,*2+,4 <2 82+,9&

S1&1;5%"-,#51 +"&#"8"652 )">(,#59 *61$#B: >,+5)12 3,41$#"1 )">(,#51 *61$#B: >,+5)12

L,)+16,$,$'

3")&,$' +" X&14$%"##"2 +"6$1

3")&,$' 61%1> SMS

3%")8,$%5-,$', %1(,4$5%"-,$', ,-$"8,$561)45 =&"45%"-,$'

C+%,-&1#51 ;%*++,85 *61$#B: >,+5)12

3%")8"$% "$61$"- +" )1$1-"8* $%,?54*

3%")8"$% "$61$"- +" (12)$-598 ) *61$#B85 >,+5)985

Page 92: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

92

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

TrustSec NAC Guest Server •  F#";"?*#475"#,&'#"1

*)$%"2)$-" (+&,$?"%8, NAC Appliance 3315)

•  /1)' K5>#1##B2 754& *+%,-&1#59 ;")$1-B8 (")$*+"8

•  Y")$5#; )$%,#57 (&9 :"$)+"$"- ,*$1#$5?54,755

NAC Guest Server (NGS) 2.02

Active Directory ) +"((1%K4"2 SSO LDAP RADIUS Kerberos

•  Q5=452 -1=-+"%$,& (&9 )"$%*(#54"- 4"$"%B1 >,4,>B-,I$ ;")$1-B1 *61$#B1 >,+5)5 ) 5#$1;%,7512 -:

Page 93: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

93

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

I#)2,# +-,-7.6 3+,'2/+,7 + NAC Guest

01$1-B1 *)$%"2)$-, "=1)+165-,I$ 4"#$%"&' (")$*+, ;")$1-";" +"&'>"-,$1&9

– <=1)+165-,I$ ,-$"8,$561)452 %1(5%14$ #, +"%$,&

– @*$1#$5?575%*1$ +"&'>"-,$1&9 ) +"8"P'I ;")$1-";" )1%-1%,

– <=1)+165-,1$ +%581#1#51 +%,- (")$*+,

– 0":%,#9I$ 5#?"%8,75I " )1$1-"2 ,4$5-#")$5

Cisco NAC Appliance – <71#4, )""$-1$)$-59

– 3%"-"(#"1 5 =1)+%"-"(#"1 +%581#1#51

Cisco Wireless LAN Controllers – /)$%"1##B1 -">8"K#")$5 ;")$1-";" (")$*+,

– 3%"-"(#"1 5&5 =1)+%"-"(#"1 5)+"&'>"-,#51

– /)$%"1##B1 ?*#4755 $*##1&5%"-,#59 ;")$1-";" $%,?54, (anchor controller)

0 +"8"P'I RADIUS ,*$1#$5?54,755 +"((1%K5-,1$)9 &I="1 *)$%"2)$-"

Page 94: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

94

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Active Directory

RADIUS Proxy

5?-*#'%/ %+<2"4B27#*%9 A*%E%?%'27#**#9 7-)-#3,-*,%E%1#?%9 $"9 <'272$*282 % )-+<'272$*282 $2+,3<27 +2,'3$*%127 % 82+,-/

SSC

Employee

Q")$'

3,%5$1$ (&9 Wired / WLAN

A1#$%,&5>"-,##,9 +"&5$54, 5 *61$

0"-81)$58")$' 802.1X/MAB 0"$%*(#54

NAC Guest

Server 2.0.2

ACS 5.1

Page 95: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

95

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

@,;-, <2 #1,%7*2+,% 82+,-/

Internet

(&9: guestname IP #$'-+: 10.1.1.1

!'-&9 "28%*#: 15:05 !'-&9 "28#3,#: 14:30

15:07 10.1.1.1 accessed http://www.cisco.com 15:08 10.1.1.1 used the bittorrent protocol 15:09 10.1.1.1 connected to vpn.mycompany.com

C2*+2"%$%'27#**#9 2,;-,*2+,4 2) #1,%7*2+,%

Page 96: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

96

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

:-,#"4*./ #3$%, 82+,-72/ #1,%7*2+,%

!  !";(, -B+"&#1# -:"(

!  Q(1 -B+"&#1# -:"(

!  @(%1) ;")$9

!  V$" (1&,& ;")$'

!  V$" =B&" %,>%1D1#"

!  V$" =B&" >,+%1P1#"

Page 97: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

97

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!.72$. •  Cisco Secure ACS 5.x 9-&91$)9 9(%"8 )5)$18B

TrustSec 5 +">-"&91$ "61#' ;5=4" *+%,-&9$' +"&#"8"65985 (")$*+,

•  Cisco LMS 4.0 "=1)+165-,1$ 71&")$#"1 *+%,-&1#51 (&9 -#1(%1#59 TrustSec/802.1x

•  L1D1#51 Cisco TrustSec "=&,(,1$ ="&'D58 65)&"8 ("+"&#5$1&'#B: )1%-5)"- (;")$1-"2 (")$*+, +"((1%K4, +%"?5&5%"-,#59 *)$%"2)$- =1> ,;1#$"-, 5#$1;%5%"-,##"1 *+%,-&1#51) 5 9-&91$)9 &5(1%"8 #, %B#41 NAC +" ?*#475"#,&*

•  S,&'#12D58 %,>-5$518 %1D1#52 Cisco TrustSec 9-&91$)9 ="&11 $1)#,9 5#$1;%,759 - 1(5#"2 +&,$?"%81

Page 98: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

98

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

!2<'2+. % @,7-,.

Page 99: 0-*-' 12*+34,#*, - Cisco · 2 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52$-'0#*%-• "% Cisco TrustSec • 01$1-,9 5(1#$5?54,759

99

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

M. 62,-"% ). 3B*#,4 !#J- &*-*%-

F20#"3/+,#, B#<2"*%,- #*1-,3


Recommended