New Software Architecture Enables Session-Aware Networking to Massively Scale Authentication and Access Policy Control

As enterprise networks become more complex, the demands and challenges to secure them are increasing. Increased mobility, wireless networks, and Bring Your Own Device (BYOD) initiatives have broadened the attack surface. Access security must be capable of scaling to accommodate the increased access demands of myriad devices.

Session Aware Networking (SANet) is a framework and set of features that provide authentication, access control, and user specific policies. The SANet re-architecture has evolved from being a single core Cisco IOS XE application to a horizontally scalable application adapting to Cisco’s database-centric programming model. The device state is now maintained in the database along with making use of the multicore capabilities of device platforms.

The decoupling of SANet features from the IOS XE daemon allows for much greater authentication scalability and flexibility in addressing various business requirements.

Scaling Access Security

SANet is the session management software on IOS XE-based devices and plays a vital role in Identity Based Networking Services (IBNS). Enterprise wired and wireless networking products that run IOS XE use SANet to handle session management (Figure 1). Having the same control plane software for session management across all Cisco enterprise product families that run IOS XE enables two things:

Higher feature velocity and availability across all the products
A uniform control plane across all Cisco products that enables the deployment of security policies at multiple locations in the network with ease

Figure 1. SANet Architecture and Features

Following the principles of the IOS XE database-centric programming model and horizontally scalable architecture, SANet was designed to address the expanding scalability requirements of wired and wireless networks. For example, wireless LAN controllers may have higher scalability requirements compared to fixed-port switches. It offers a more consistent way to configure features across technologies, easy deployment, and customization of features. Having a single solution to address these diverse requirements simplifies through standardization.

The database-centric programming model, along with the IOS XE infrastructure, provides access to other features like compiler-integrated patching, integrated telemetry, and unified software tracing, to name a few. It also benefits from any future enhancements to the complete IOS XE stack, like process restart-ability, multi-tenancy, etcetera.

Multiple Authentication Methods and Comprehensive Policy Control

SANet provides an extensive list of authentication mechanisms and a robust policy framework that can apply policies defined locally or on an external server. Session insights or attributes are sent during authentication or accounting to a configured external server, like Cisco Identity Services Engine (ISE) or third-party servers, to make network policies flexible, consistent across the network, and easy to manage.

Authentication methods available with SANet include 802.1X, Web Authentication, and MAC Authentication Bypass (MAB). It is possible to use a combination of these methods to address various business requirements. For example, MAB followed by Web-based authentication may be used for various solutions that demand diverse types and combinations of session policies. Security policies like Access Control List (ACL) applied initially to a user session can change as an increased number of user identity details are learned. Or a policy may be applied to a guest user to limit the time that the user is allowed to be connected to the network.

SANet supports various other security solutions like Cisco TrustSec, Software-Defined Access, device visibility, Autoconf, Auto Smartports, MAC Sec, and others.