Chances are, you got authenticated today. If you withdrew money from an ATM, swiped your employee badge or joined a secure wireless network, then you provided a valid form of identification to prove who you were. Once authenticated, you were authorized for some kind of access: to your money, a building or a wireless network. The one time you might not have been authenticated was when you plugged into the wired Ethernet port in your cube. IEEE 802.1X, the protocol designed specifically to authenticate users and devices at the access edge, is not ubiquitous on wired switches. One of the reasons is that 802.1X requires a client, called a”supplicant,” to carry out the authentication. Without a supplicant, a device cannot get access. That’s not a flaw in 802.1X -it’s the purpose of 802.1X: keep unauthenticated devices off the network.So what can be done about legacy devices that do not support 802.1X? One option is to un-configure 802.1X on ports connected to devices that are not capable of 802.1X. Besides being a nightmare for the IT administrator (“œhey, what port was that printer on again?”), it is also not very secure: an intruder could simply unplug the non-802.1X-capable device and voila! -total access to the corporate network. Clearly, this is sub-optimal. Better solutions leverage the intelligence of the network to automate the process of getting non-802.1X-capable devices on the network. Until now, Cisco’s Identity-Based Networking Services (IBNS) has offered three solutions:1) Configure the switch to attempt 802.1X and, if there is no response, automatically enable the port into a special VLAN (the”Guest VLAN”) with configurable access to the corporate network. With this solution, you could at least use the same configuration on every port, thus lowering the administrative overhead. However, you still have a problem: non-802.1X capable managed assets (such as printers, IP cameras) would have exactly the same access as guests or even rogue devices. Guest VLAN alone cannot provide differentiated network access for different kinds of non-802.1X-capable devices.2) Configure the switch to learn the MAC address of the connected device and validate that against a corporate identity store after 802.1X times out. This technique is referred to as MAC Authentication Bypass (MAB). Devices with known MAC addresses can be granted access to the corporate network while unknown MAC addresses can be denied access or dropped into the Guest VLAN as a fallback. In addition, because the switch queries an external identity store, MAB results in a centralized record of every device that attempts to connect to the network (giving it more visibility than a pure Guest VLAN approach where the switch simply allows the device onto the network). Of course, MAB requires an up-to-date database of the MAC addresses of every managed device on the network-which, of course, every organization has-or do they?3) Configure the switch to provide a login web-page if the device does not respond to 802.1X requests. This is sometimes called Web-Auth or captive portal. This approach only works for devices with web browsers operated by users who can manually enter usernames and passwords. Web-Auth doesn’t do much good for printers. Fortunately, MAB and Web-Auth can be configured together so that devices that fail MAB can be offered Web-Auth as a final option. Organizations that have successfully deployed 802.1X on their wired networks have used one or more of these solutions to support non-802.1X-capable devices. However, even with these features, it is not always smooth sailing. For starters, have you been wondering how the switch determines there is no supplicant on the attached device? The answer is simple: the switch asks if there is a supplicant on the wire and then it waits. Only after a timeout can MAB and/or Guest VLAN or Web-Auth do their work. This may result in significant delays in network connectivity and thus impair productivity.To address these and other concerns, newly announced IBNS features will complement the existing solutions to smooth the deployment of 802.1X in wired networks. We’ll discuss these features in our IBNS Second Life Techchat on December 11.Written by Shelly Cadora, PhD* *Shelly will be one of our speakers during the December Cisco Live in Second Life TechChat. She is a technical marketing engineer for Identity-Based Networking solutions. She is a 10 year Cisco veteran with a CCIE in Routing and Switching (#16318). Prior to becoming involved with Identity and 802.1X, she was involved in the development of the ASA firewall and Cisco IP Telephony solutions.
Here’s a neat idea that we’d like your feedback on. We have set up a simple search plug-in that works in Internet Explorer and Netscape.The way it works is that you can add it to you browser and then use the search pulldown built into your browser to search Cisco.com even if you’re not right on the site.We’ve set up a page that explains how it works and how you can play with the options. If there is interest, we will probably do a final implementation that could be added as a plugin to your browser from any page.There’s a conversation on the NetPro Idea Center where you can join a conversation about the ins and outs of the plug-in.Enjoy!
This TechChat featured Srinivas Kotamraju, Solutions Marketing Manager in the Network Systems Marketing Team, and Anurag Gurtu, Technical Marketing Engineer currently focusing on the Cisco integrated services router platform, both at Cisco. In addition Georges Boutros, Partner Development Manager with Sagem-Interstar will discuss the XMediusFAX Fax over IP (FoIP) solution suite. During this TechChat, Kotamraju and Gurtu will talk about how to use Cisco’s integrated services router platform to create innovative applications and explore potential business opportunities.View this archived discussion to learn about the Cisco Application Extension Platform (AXP):* How it allows you to easily integrate the branch network, applications, and IT infrastructure, therefore increasing your operational efficiency and lowering TCO.* Capabilities include a Linux hosting environment, support libraries, a software development kit, and more.* Hear about existing solutions developed by Cisco partners on the AXP.Click play below to watch the archive.To learn more about the Cisco Application Extension Platform (AXP) go to:The Cisco AXP OverviewIntroduction to the Cisco AXPThink Inside the BoxCisco Application Extension Platform presentation (PDF -- 6 MB)We need your feedback. Please complete a brief survey on the Nov 20th event.
One of our speakers for the “Networks That Know You: Cisco Identity-Based Networking Services” December 11, noon Pacific Cisco Live in Second Life TechChat will be writing a series of blog posts to lay the foundation regarding the relevant technologies for the event. The hope is that this will expedite relevance for all attendees and stimulate a more immersive discussion during the live TechChat.Below is the first in this series focusing on 802.1X.
Has this ever happened to you? You’re visiting a customer or a vendor and the security guard insists that you leave your laptop with him while you’re inside the building. Or perhaps you are allowed to keep your laptop on the condition that you only plug into the yellow wall jacks labeled “Visitor.” In both situations, the end goal is the same: companies are trying to prevent unauthorized access to the network and networked resources. The first solution, though effective, is Draconian in its effect on productivity: why have a mobile device if you can’t get any work done when you’re on the road? The second solution has less impact on productivity, but there’s less security and no visibility. Once you’ve been let loose in the building, the honor system is all that keeps you from plugging into a green wall jack and gaining full access to the corporate network. At that point, there is no way to monitor what you are doing on the corporate network: all the IT administrators know is that you’re”supposed to be” in the yellow jack. Moreover, application level security is not enough to protect corporate assets from such accidental (or deliberate) incursions. Some legacy applications cannot be fully secured at Layer 7 and there are plenty of other vulnerable targets on the network.Fortunately, there is another way: leverage the intelligence of the network to identify each user as they come onto the network and dynamically grant the appropriate level of access to that user. This is the founding premise of Identity-Based Networking Services (IBNS), a Cisco solution for identity-based network access control. IBNS starts with 802.1X, an IEEE specification that describes how to authenticate users and devices in order to provide port-based access control. An 802.1X-enabled port drops all traffic until the connected device provides valid credentials. The only traffic allowed through the port is Extensible Authentication Protocol (EAP). EAP is a layer 2 protocol that allows devices to send passwords, certificates or tokens to authenticate themselves to the network. Once authenticated, the port is opened to other kinds of traffic, subject to the dynamic security policy that has (optionally) been applied to the port. If it’s that effective, you may ask, why isn’t everyone doing 802.1X? The answer is -they are-on wireless networks. The adoption of 802.1X on wired networks has been slowed by several factors, not the least of which is that many legacy devices assume network connectivity at link-up and/or cannot support an 802.1X client (also called a”supplicant”). In a pure 802.1X environment, these devices would never be able to gain access to the network. Talk about a productivity hit! Asking visitors to leave their laptops with the security guard looks like small potatoes if the alternative is having all printers offline. Therefore, IBNS starts with 802.1X but it cannot end there. Deploying 802.1X in real-world wired networks requires a rich set of features that allows the network to enforce identity-based access control for all devices: printers, PCs, IP phones, guests, and so on. IBNS is an end-to-end solution that provides these features, making 802.1X a reality for wired networks. In future blogs, we’ll talk more about these features and how to deploy them to make any 802.1X implementation faster and simpler. We’ll also discuss new ways to control and customize users’ access to the network.Written by Shelly Cadora, PhD**Shelly will be one of our speakers during the December Cisco Live in Second Life TechChat. She is a technical marketing engineer for Identity-Based Networking solutions. She is a 10 year Cisco veteran with a CCIE in Routing and Switching (#16318). Prior to becoming involved with Identity and 802.1X, she was involved in the development of the ASA firewall and Cisco IP Telephony solutions.