Identity-Based Networking Services (IBNS)
IBNS and Cisco Secure ACS

Historically, Ethernet networks offered few capabilities for the authentication of devices or users to the network. When originally developed, the protocols underpinning TCP/IP over Ethernet, such as ARP and DHCP, simply did not address user authentication, authorization, or accounting. The key challenge at the time was connectivity. Advanced security concerns were issues for the future. It is still true today that in the vast majority of organizations any person who can physically attach a computer to the LAN will automatically be granted TCP/IP connectivity to the network without further checks concerning whether such connectivity is appropriate. With the security focus of most organizations having been on the external risks posed by connection to the Internet, relatively uncontrolled IP access has been available on the LAN. With the wider deployment of networks and the accompanying vulnerabilities, most organizations are becoming concerned about this reliance on crude physical security to limit access to their networks.

The addition of RADIUS support to Cisco Catalyst switches means that the user-based access control schemes that have been available to control remote user access are now available on the links of Cisco Catalyst switches. This represents a fundamental breakthrough in the access control schemes that can now be achieved on broadcast or switch-based Ethernet networks. One example of configuration data that an organization might want delivered by RADIUS is the VLAN identification for each user.

EAP represents the technology framework that makes it possible to deploy RADIUS into Ethernet network environments. It also allows for the adoption of AAA schemes and the security advantages that are available when using AAA servers. The 802.1x standard, also known as EAP over LAN (EAPOL), concerns that part of the wider EAP standard that relates to broadcast media networks. Upon connection, EAPOL provides a communications channel between an end user on a client LAN device to the AAA server through the LAN switch. Conceptually, the functionality is very similar to that provided by Point-to-Point Protocol (PPP) servers on point-to-point links. With the addition of AAA support for user access control, all Ethernet LAN connections can be authenticated against the individual user requesting it. Network connectivity is provided only if valid credentials are supplied. In addition, the RADIUS protocol provides for delivery of granular control of the network connectivity to be supplied by switch to the user. Finally, RADIUS provides for the collection of a user's usage statistics of network resources .

By supporting complex challenge-response dialogues, EAP facilitates the user-based authentication demands of both conventional one-way hashed password authentication schemes such as CHAP and also of more advanced authentication schemes such as TLS or digital certificates. The flexible capabilities provided by EAP thus allow deploying organizations to start with less secure but simple to implement authentication protocols and then move to more secure but more complex protocols as requirements dictate. For a more complete explanation of EAP and a discussion of the capabilities and security attributes of the different password protocol schemes supported, follow the web link User Guide for Cisco Secure ACS Solution Engine Version 3.3 – System Configuration: Authentication and Certificates that is provided below.

Network Access Policy
Network access policy is a broad concept. In general, it defines how users can connect to the network and what services they will be provided with when connected to it.

Cisco Secure ACS-based access policy enforcement provides control by using central authentication and authorization of network users. The Cisco Secure ACS database maintains all user IDs, passwords, and privileges in the form of a RADIUS access profile. Upon receipt of a RADIUS access-request packet from the switch on behalf of a user, the Cisco Secure ACS first determines which authentication method will be used for that request and then processes it.


Web Links