Академический Документы
Профессиональный Документы
Культура Документы
1X
BRKSEC-2005
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Network Access
Default Functionality
Deployment Considerations
Reporting and Monitoring
Looking Forward
Deployment Case Study
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Intranet
Employees
Managed Assets
Guests/Contractors
Internet
Outsiders
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Identity Networking
General Identity and Authentication Space
IEEE 802.1X
MAC Auth
Web Auth
AAA
Policy
Management
Troubleshooting
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
General Description
IEEE 802.1X Terminology
R
A
D
I
IUS U
RAD S
L)
APO Authentication
L AN (E OW
) Server
r EAP
Ove ss (
EAP ele
r Wir
Ove
EAP
Authenticator
Port Access Entity (PAE)
Supplicant
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16
EAP Payload
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Port Unauthorized
Cisco IOS
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
interface GigabitEthernet1/0/1
dot1x pae authenticator
dot1x port-control auto
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
A Closer Look
802.1X, STP
Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response
802.1X
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response EAP—Method Dependent
EAP-Auth Exchange Auth Exchange w/AAA Server
EAP-Success/Failure Authentication Successful/Rejected
802.1X RADIUS
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23
A Closer Look
802.1X, STP
Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response EAP—Method Dependent
EAP-Auth Exchange Auth Exchange w/AAA Server
EAP-Success/Failure Authentication Successful/Rejected
Port Authorized
Policy Instructions
802.1X RADIUS
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response EAP—Method Dependent
EAP-Auth Exchange Auth Exchange w/AAA Server
EAP-Success/Failure Authentication Successful/Rejected
Port Authorized
Policy Instructions
Port Unauthorized
EAPOL-Logoff
802.1X RADIUS
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25
A Closer Look
802.1X, STP
Port Unauthorized
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response EAP—Method Dependent
EAP-Auth Exchange Auth Exchange w/AAA Server
EAP-Success/Failure Authentication Successful/Rejected
Port Authorized
Policy Instructions
Port Unauthorized
EAPOL-Logoff
Actual Authentication Conversation Is Between Client and Auth Server
Using EAP; the Switch Is an EAP Conduit, but Aware of What’s Going on
802.1X RADIUS
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Controlled
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
00-01-76-48-90-ff ??
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
00-01-76-48-90-ff IOS
dot1x pae authenticator
dot1x port-control auto
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
00-01-76-48-90-ff ??
00-67-e5-bb-45-21
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
00-01-76-48-90-ff
IOS
dot1x host-mode multi-host
00-67-e5-bb-45-21
00-01-76-48-90-ff
IOS
dot1x host-mode multi-host
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 2
00-67-e5-bb-45-21
Recommendation:
Use 802.1X to authorize the port
Use port-security to limit the number of other devices allowed on
the wire.
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33
00-01-76-48-90-ff
X
DA = 01-80-c2-00-00-03
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
EAP-Identity-Request
2 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
3 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
4
√
D = 01.80.c2.00.00.03 30-seconds
802.1X
Client Process
Deployment
Considerations
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Benefits
Simple, secure device connectivity
Minimizes chances of network
compromise from infected devices
Reduces complexity
SSC Restricts unauthorized network access
Centralized provisioning
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
Establish Secure
Channel to AD GPO based Logon
(LDAP, SMB) Script Execution (SMB)
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45
DHCP—Timeout at 62 Seconds
DHCP
Power Up Load NDIS Setup Secure Present GINA
Drivers Channel (Ctrl-Alt-Del) Login
to DC
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46
Login Req.
Send Credentials Forward Credentials to ACS Server
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Authorization
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51
Marketing
IOS
aaa authorization network default group radius
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55
5 Variable
?
Learn MAC
RADIUS-Access
6 Request
RADIUS-Access
7 Accept
√
8 Port Enabled
00.0a.95.7f.de.06 IOS
Switch(config-if)# dot1x mac-auth-bypass
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
802.1X Timeouts
1
Client Initiates Connection—Activates Port Authentication State Machine
2
Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP
3
Switch Port Relays DHCP Address from DHCP Server
4
User Starts Web Browser and Initiates Web Connection
5
Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd
6
User Enters Credentials—They Are Checked Against RADIUS DB via PAP—If
Authenticated Then Switch Port Opened for Normal Network Access
7
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
EAP-Identity-Request
2 30-seconds
X
D = 01.80.c2.00.00.03 Port Deployed
EAP-Identity-Request into the Guest
3 30-seconds VLAN
X
D = 01.80.c2.00.00.03
EAP-Success
4
√
D = 01.80.c2.00.00.03 30-seconds
802.1X
Client Process
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
1 *EAPOL-Start
2 EAP-Identity-Exchange
3 RADIUS-Access-Request
RADIUS-Access-Request 4
EAP Exchange 5
RADIUS-Reject 6
EAPOL-Failure 7
X
Switch
Client
Port is never
AAA
granting access
*Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP
exchange dependent on method
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63
802.1X
User Unknown!
RADIUS-Access-Request 16
EAP-Data-Request 17
… EAP ………….. Exchange …
RADIUS-Reject 18
EAPOL-Failure 19
√
Port is now Switch
granted
Client
access to
AAA
auth-fail-VLAN
IOS
It is up to the supplicant to access the network. dot1x auth-fail vlan 50
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66
1 EAP-Identity-Exchange
2 RADIUS-Access-Request
RADIUS-Access-Request
RADIUS-Access-Request
X
3
EAPOL-Failure
X
Client Switch AAA
Port is not
granting access
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
EAP-Success/Failure
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69
Untagged 802.3
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70
Controlled
EAPOL CDP Un-Controlled EAPOL+CDP
EAPOL
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72
2 PC Leaves
3
√?
Port Remains Authorized
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73
4 Illegitimate User
3
√?
Port Remains Authorized
An illegitimate user can now gain access to the port by spoofing the
authenticated MAC address, and bypass 802.1X completely—
Security Hole
In an attempt to workaround this, some customers have enabled periodic
reauthentication of end-devices
This is not the reason to enable reauthentication
We need to deal with the fact that any machine can disappear from the
network and the switch (and 802.1X) does not know about it explicitly
(i.e. link doesn’t go down)
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75
2 PC Leaves
3
√?
Port Remains Authorized
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76
4 Legitimate User
5 Security Violation
X
A legitimate user may now attempt to gain access to the port by
way of 802.1X
However, assuming MAC addresses are different, now the switch
may treat this as a security violation!
In an attempt to workaround this, some customers have enabled
periodic reauthentication of end-devices
This is not the reason to enable reauthentication
Overall, same issue as previous slides
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78
2 PC Leaves
X X
3 EAPOL-Logoff Transmitted
√
4 New Authenticated Session
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
EAP-Identity-Request
2 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
3 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
4
√
D = 01.80.c2.00.00.03 30-seconds
802.1X
Process
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
EAP-Identity-Request
2 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
3 30-seconds
X
D = 01.80.c2.00.00.03
EAP-Identity-Request
4
√
D = 01.80.c2.00.00.03 30-seconds
802.1X
Client Process
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83
2 802.1X times out (phone not allowed to communicate to the network yet)
4 Switch receives Access-Accept & information that the device is an IP phone. Port-
forwarding is allowed on either VLAN.
5 Non-Cisco phone continues to send traffic which is now allowed on the PVID as a
result of authenticating the MAC-Address. Phone then reboots onto VVID normally.
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85
Guest-VLAN, MaxReq
TxPeriod
= 2
= 30
Auth-Fail-VLAN, RateLimitPeriod
Mac-Auth-Bypass
= 0
= Enabled (EAP)
AAA-Fail-VLAN Inactivity
Guest-VLAN
= None
= 401
for PC Dot1x Authenticator Client List
PC authenticated
------------------------------- by 802.1X
Domain = DATA
Supplicant = 1222.c0a8.0102
Auth SM State = AUTHENTICATED
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Authentication Method = Dot1x
Authorized By = Authentication Server
VLAN Policy = 100
Phone
Domain
Supplicant
=
=
VOICE
000f.8fb7.16a0
authenticated
Auth SM State = AUTHENTICATED by MAB
Auth BEND SM Stat = IDLE
Port Status = AUTHORIZED
Authentication Method = MAB
Authorized By = Authentication Server
BRKSEC-2005 VLAN Policy = N/A
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92
2 EAPOL-Success 2 Access-Accept
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93
2 EAPOL-Success 2 Access-Accept
3 Accounting Request
4 Accounting Response
Accounting-request packets
Contains one or more AV pairs to report various events and related
information to the RADIUS server
Tracking user-level events are used in the same mechanism
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94
IOS
aaa accounting dot1x default start-stop group radius
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Turnkey appliance
Capable of managing large volumes of Cisco Secure
ACS data.
Generate historical reports and monitoring real-time
data sent from ACS servers.
Collects and correlates data from multiple Cisco Secure
ACS servers and logs.
Provides sophisticated reporting, alerting and
troubleshooting functions for Cisco Secure ACS
deployments.
Currently for ACS 4.2 only.
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97
Alerts
Cisco Secure ACS View Supports the Following
User-Defined Alerts:
Failed (or passed) authentications over a specified
length of time for a user, user group, ACS server, etc.
Authentication inactivity over a specified length of time
for a user, user group, ACS server, network access
device, network device group, etc.
Specific TACACS+ command execution for a user, user
group, network access device or network device group
Specific ACS server administration operations on
specified ACS servers
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101
ACS Problem —
Certificate Trust Issues
One of the most common issues seen in deployment
Indicates that the CA certificate is not installed and trusted on the
supplicant
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109
Authentication — Today
802.1X timeout/failure
EAP
EAP X
Guest VLAN
Failed Auth VLAN
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110
EAP
802.1X failure/timeout
EAP
EAP
EAP X
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111
Open Mode
For Each 802.1x Switch Port, the Switch Creates
TWO Virtual Access Points at Each Port
UncontrolledUncontrolled
Port continues to provides a Path for
Port Provides a Path for
Extensible
ExtensibleAuthentication Protocol
Authentication Protocol over LAN
over LAN (EAPOL) (EAPOL)
AND CDP Traffic
Traffic ONLY
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115
PC Leaves
2
X X
CDP Notification Transmitted
3
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116
√
New Authenticated Session
4
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117
Improved Logging/Monitoring
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118
802.1X/MAB Authentication
1
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119
802.1X/MAB Authentication
1
X
No traffic detected from PC
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121
Client 1 Authentication
Client 2 Authentication
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 122
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 123
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 124
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 125
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 126
Recommended Reading
Network Security Architectures
Network Security
Fundamentals
Network Security Principles
and Practices
Cisco Access Control Security:
AAA Administration Services
Cisco Wireless LAN Security
Cisco Network Admission
Control, Vol. I and II
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 129
Summary
Identity Networking improves enterprise security
Identity Networking improves enterprise visibility
Identity Networking is a platform for other security initiatives, i.e. NAC
Keys to success:
Understand your security requirements
Understand the Windows boot process
Choose the right authorization for your requirements
Understand implications of IP Telephony
Expend effort up front to identify and plan for impact of 802.1X
Identity Networking Is
Deployable Today
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 130
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 131
BRKSEC-2005
14657_05_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 132