Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Published byShawn Harris Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 4 – Trust and Identity Technology

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 4.1 AAA 4.2 Authentication Technologies 4.3 Identity Based Networking Services (IBNS) 4.4 Network Admission Control (NAC)

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 1 – Trust and Identity Technology 4.1 AAA

5 5 © 2005 Cisco Systems, Inc. All rights reserved. AAA Model— Network Security Architecture Authentication Who are you? “I am user student and my password validateme proves it.” Authorization What can you do? What can you access? “I can access host 2000_Server with Telnet.” Accounting What did you do? How long did you do it? How often did you do it? “I accessed host 2000_Server with Telnet 15 times.”

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Implementing Cisco AAA Administrative access—Console,Telnet, and Aux access Remote user network access—Async, group-async, BRI, and serial (PRI) access Cisco Secure ACS Remote client (SLIP, PPP, ARAP) NAS Corporate file server Console PSTN/ISDN Internet Remote client (Cisco VPN Client) Router Cisco Secure ACS appliance

7 7 © 2005 Cisco Systems, Inc. All rights reserved. Implementing AAA Using Local Services 1.The client establishes connection with the router. 2.The router prompts the user for their username and password. 3.The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database. 2 13 Perimeter router Remote client

8 8 © 2005 Cisco Systems, Inc. All rights reserved. Implementing AAA Using External Servers 1.The client establishes a connection with the router. 2.The router communicates with the Cisco Secure ACS (server or appliance). 3.The Cisco Secure ACS prompts the user for their username and password. 4.The Cisco Secure ACS authenticates the user. The user is authorized to access the network based on information found in the Cisco Secure ACS database.2 1 3 Perimeter router Remote client Cisco Secure ACS Cisco Secure ACS appliance4

9 9 © 2005 Cisco Systems, Inc. All rights reserved. The TACACS+ and RADIUS AAA Protocols Two different protocols are used to communicate between the AAA security servers and a router, NAS, or firewall. Cisco Secure ACS supports both TACACS+ and RADIUS: TACACS+ remains more secure than RADIUS. RADIUS has a robust API and strong accounting. Cisco Secure ACS Firewall Router Network access server TACACS+RADIUS Security server

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Module 1 – Trust and Identity Technology 4.2 Authentication Technologies

11 11 © 2005 Cisco Systems, Inc. All rights reserved. Authentication Methods

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Authentication—Remote PC Username and Password

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Authentication— One-Time Passwords, S/Key List of one-time passwords Generated by S/Key program hash function Sent in clear text over network Server must support S/Key 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4 S/Key passwordsWorkstation Security server supports S/Key S/Key password (clear text) 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Authentication— Token Cards and Servers 1.2. 4. 3. Cisco Secure ACS (OTP) Token server

15 15 © 2005 Cisco Systems, Inc. All rights reserved. AAA Example— Authentication Via PPP Link PAP—Password Authentication Protocol Clear text, repeated password Subject to eavesdropping and replay attacks CHAP—Challenge Handshake Authentication Protocol Secret password, per remote user Challenge sent on link (random number) Challenge can be repeated periodically to prevent session hijacking The CHAP response is an MD5 hash of (challenge + secret) provides authentication Robust against sniffing and replay attacks MS-CHAP—Microsoft CHAP v1 (supported in IOS > 11.3) and v1 or v2 (supported in IOS > 12.2) Network access server TCP/IP and PPP client PPP PSTN or ISDN PPP

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Module 1 – Trust and Identity Technology 4.3 Identity Based Networking Services (IBNS)

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Identity Based Network Services Cisco VPN Concentrators, Cisco IOS Routers, PIX Firewalls Unified Control of User Identity for the Enterprise Router Internet Cisco Secure ACS Firewall VPN Clients Hard and Soft Tokens Remote Offices OTP Server

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Identity Based Networking Services Features and Benefits: Intelligent adaptability for offering greater flexibility and mobility to stratified users A combination of authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs

19 19 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Components

20 20 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Authentication Server (RADIUS) Catalyst 2950 (switch) End User (client)

21 21 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Benefits FeatureBenefit 802.1x Authenticator Support Enables interaction between the supplicant component on workstations and application of appropriate policy. MAC Address Authentication Adds support for devices such as IP phones that do not presently include 802.1x supplicant support. Default Authorization Policy Permits access for unauthenticated devices to basic network service. Multiple DHCP Pools Authenticated users can be assigned IP addresses from a different IP range than unauthenticated users, allowing network traffic policy application by address range.

22 22 © 2005 Cisco Systems, Inc. All rights reserved. 802.1x Wireless LAN Example Authentication Server (RADIUS) Catalyst 2950 (switch) Access Point

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Module 1 – Trust and Identity Technology 4.4 Network Admission Control (NAC)

24 24 © 2005 Cisco Systems, Inc. All rights reserved. NAC Components

25 25 © 2005 Cisco Systems, Inc. All rights reserved. NAC Vendor Participation

26 26 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations

Authentication.

Authentication.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Remote Networking Architectures

Remote Networking Architectures
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.

Similar presentations

Ads by Google