Historically, Ethernet networks offered few capabilities for the
authentication of devices or users to the network. When originally developed,
the protocols underpinning TCP/IP over Ethernet, such as ARP and DHCP, simply
did not address user authentication, authorization, or accounting. The key
challenge at the time was connectivity. Advanced security concerns were issues
for the future. It is still true today that in the vast majority of
organizations any person who can physically attach a computer to the LAN will
automatically be granted TCP/IP connectivity to the network without further
checks concerning whether such connectivity is appropriate. With the security
focus of most organizations having been on the external risks posed by
connection to the Internet, relatively uncontrolled IP access has been
available on the LAN. With the wider deployment of networks and the
accompanying vulnerabilities, most organizations are becoming concerned about
this reliance on crude physical security to limit access to their networks.
The addition of RADIUS support to Cisco Catalyst switches means that the
user-based access control schemes that have been available to control remote
user access are now available on the links of Cisco Catalyst switches. This
represents a fundamental breakthrough in the access control schemes that can
now be achieved on broadcast or switch-based Ethernet networks. One example of
configuration data that an organization might want delivered by RADIUS is the
VLAN identification for each user.
EAP represents the technology
framework that makes it possible to deploy RADIUS into Ethernet network
environments. It also allows for the adoption of AAA schemes and the security
advantages that are available when using AAA servers. The 802.1x standard, also
known as EAP over LAN (EAPOL), concerns that part of the wider EAP standard
that relates to broadcast media networks. Upon connection, EAPOL provides a
communications channel between an end user on a client LAN device to the AAA
server through the LAN switch. Conceptually, the functionality is very similar
to that provided by Point-to-Point Protocol (PPP) servers on point-to-point
links. With the addition of AAA support for user access control, all Ethernet
LAN connections can be authenticated against the individual user requesting it.
Network connectivity is provided only if valid credentials are supplied. In
addition, the RADIUS protocol provides for delivery of granular control of the
network connectivity to be supplied by switch to the user. Finally, RADIUS
provides for the collection of a user's usage statistics of network
resources
.
By
supporting complex challenge-response dialogues, EAP facilitates the user-based
authentication demands of both conventional one-way hashed password
authentication schemes such as CHAP and also of more advanced authentication
schemes such as TLS or digital certificates. The flexible capabilities provided
by EAP thus allow deploying organizations to start with less secure but simple
to implement authentication protocols and then move to more secure but more
complex protocols as requirements dictate. For a more complete explanation of
EAP and a discussion of the capabilities and security attributes of the
different password protocol schemes supported, follow the web link User Guide
for Cisco Secure ACS Solution Engine Version 3.3 – System Configuration:
Authentication and Certificates that is provided below.
Network Access Policy
Network access policy is a broad concept.
In general, it defines how users can connect to the network and what services
they will be provided with when connected to it.
Cisco Secure ACS-based
access policy enforcement provides control by using central authentication and
authorization of network users. The Cisco Secure ACS database maintains all
user IDs, passwords, and privileges in the form of a RADIUS access profile.
Upon receipt of a RADIUS access-request packet from the switch on behalf of a
user, the Cisco Secure ACS first determines which authentication method will be
used for that request and then processes it.