brksec-2580 - introduction to cisco secure acs 5.0
TRANSCRIPT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1
Introduction to Cisco Secure ACS 5.0
BRKSEC-2580
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 2
Agenda
Overview
Policy Model
Managing Policy
Deployment
Migration
Licensing
More Information
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 3
Cisco Secure ACS 5.0
Overview
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 4
Next-Generation Access Policy Management
Single platform for network access and device administration
Extremely flexible policy administration
New web-based administration
Advanced troubleshooting, monitoring, and reporting tools
New linux-based platform for robustness, scalability and performance
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 5
ACS 5.0 Platform Options
Linux Appliance
One rack-unit (1RU) security-hardened, Linux-based appliance
VMWare version
Software application and Linux operating system image for installation on VMware ESX 3.5
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 6
ACS 5.0: Focus On Core Dot1x And Device Administration Use Cases
Core network access use cases
802.1X wired & wireless access using passwords or certificates
Authentication to ACS internal database or external directories
Host lookup for devices with no supplicant (“MAC auth bypass”)
Basic functionality for standard Device Administration use cases
RADIUS/TACACS+ shell login authorization
TACACS+ per-command authorization (ACS “command sets”)
Other use cases may not be supported
ACS 5.0 does not deliver complete parity with ACS 4.x
More complete feature parity planned for future releases
See More Information for a detailed ACS 4.x comparison
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 7
ACS 5.1: Address Other Use Cases
ACS 5.1 – Q4CY09
One-Time Passwords for remote access, dot1x and device administration scenarios
Advanced TACACS+ features such as password change
Advanced network access handling such as RADIUS proxy and AD certificate comparison
Contact your account team for more ACS 5.1 information
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 8
Cisco Secure ACS 5.0
Policy Model
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 9
Employee Group
Permissions – Employee_VLANRestrictions – None
NetAdmin Group
Permissions – Full AccessRestrictions – None
Guest Group
Permissions – Guest_VLANRestrictions – Time_of_Day
User Groups
ACS 4.x: Group-Based Policy Model
Group-based policy
User is authenticated & associated to a group
• Authorization based on static permissions
and restrictions for the user’s group
User subjected to SAME restrictions and gets
SAME permissions ALWAYS
?• Works well if Identity is the
dominant or only condition
• Does not work well for
complex authorization policies
based on dynamic conditions• Employee gets full access
when on-site & restricted
access when coming in
remotely
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 10
Employee Group
NetAdmin Group
Guest Group
ACS 5 : Rules-Based Policy Model
Location
Posture Access Type
Time & Date
Engineering
Human Resources
Login VLAN
Guest
Quarantine
Deny Access
+
IdentityOther
ConditionsAuthorization Profiles
CONDITIONS RESULT
ID GROUP LOCATION AZN PROFILE
ENG SJ_CAMPUS SJ_ENG
ENG RTP_CAMPUS RTP_ENG
ENG EXTERNAL EXT
IF NO MATCH DENY ACCESS
CONDITIONS RESULT
ID GROUP LOCATION AZN PROFILE
ENG SJ_CAMPUS SJ_ENG
ENG RTP_CAMPUS RTP_ENG
ENG EXTERNAL EXT
IF NO MATCH DENY ACCESS
Policy Rules Policy Elements
Identity is decoupled from permissions
Authorization based on identity and conditions
specified as policy rules
• IF <condition(s)> THEN <permission>
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 11
Flexible Policy Conditions
Network information – AAA protocol, AAA client, network device group
AAA information – EAP type, MAC address, other AAA attributes
Certificate attributes
Identity store user attributes and group memberships
ACS internal store, Active Directory, LDAP directories
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 12
ACS
AAA Request
Access Service
AAA Response
Access Services Implement ACS Policy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 13
ACS Service Selection
AAA RequestService
Selection
Access Service 1AAA
Response
Access Service 2
Access Service 3
ACS Service Selection Criteria
AAA protocol
Network device group
ACS server
Request attributes
Date and time
AAA client
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 14
Access Service Components
Identity Policy
Selects the Identity Store (or stores) to be used for authentication and retrieval of identity attributes
Group Mapping Policy (optional)
Used to “normalize” identity information by mapping from collected identity attributes to an internal “Identity Group”
External Server Check (optional)
Allows collection of additional attributes to be collected from external policy systems
Authorization Policy
This is the heart of ACS, where all collected attributes are evaluated to arrive at an authorization policy decision
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 15
Identity Policy
Policy to select identity stores that are used to authenticate and retrieve attributes/group info
Flexibility in selection of identity store
Static
“Always use LDAP”
Conditional -
“Use CORP_AD if MSCHAPv2 is used”
Authentication Method Identity Store
X509 Certificate Certificate Profile
MSCHAPv2 CORP_AD
If no match Deny Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 16
Authorization Policy
ID Group Location Access Type
Time & Date
Compliance Azn Profile
ENGR - - - Compliant ENG
ENGR - - - Not Compliant
PUB, ENG
CONT CAMPUS WIRED DAY Compliant CONT
CONT CAMPUS WIRELESS DAY Compliant CONT_WLAN
PRINTERS CAMPUS WIRED - - PTR
DEFAULT (If no match found) QUAR
First match (permissions cannot be merged)
Discrete columns per condition element
Authorization profiles may be combined in Rule results
Conflict resolution via precedence order
Allows “hierarchy” of Authorization profiles, reduces proliferation of individual profiles
Default rule (If no match found)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 17
Cisco Secure ACS 5.0
Managing Policy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 18
ACS 5.0 Graphical User Interface
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 19
Service Selection
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 20
ACS Access Services2 Access Services by default
User configurable / customizable
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 21
Location NDG Hierarchy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 22
Network Device List
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 23
Network Device Properties
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 24
Users and Identity Stores
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 25
Internal Users
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 26
LDAP Directories
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 27
LDAP Directory Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 28
Active Directory Configuration
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 29
AD groups Select the subset of AD groups to be made available for
referencing in policy rules
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 30
AD User AttributesSelect subset of user record attributes to be retrieved and
made available for reference in policy rules
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 31
Certificate Authentication ProfileDefine which cert attribute is mapped to “username”
Optionally perform binary cert comparison
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 32
Identity SequenceDefine one ID source for authentication, another for
additional attributes (e.g. CERT + AD groups)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 33
Date & Time Condition
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 34
Custom Condition
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 35
Authorization Profile (permissions container)
Define set of permission attributes to be referenced in policy rules (returned in “access accept” response)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 36
ACS Access Services2 Access Services by default
User configurable / customizable
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 37
Identity Policy ExampleRule-based Identity Policy – allows use of EAP-
MSCHAPv2 or EAP-TLS (client cert) for authentication
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 38
Authorization Policy ExampleAuthorization based on membership in AD groups,
location, and date/time condition
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 39
Exception Policy ExampleSet of conditions can be different than standard policy
Keeps policy exceptions & waivers separate
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 40
Service Selection
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 41
Cisco Secure ACS 5.0
Monitoring and Reporting
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 42
ACS 5.0 Monitoring & Reports Dashboard
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 43
Monitoring and Reports Highlights
Basic License Features
Dashboard
Real-time display of system and AAA health metrics
Reports
Pre-defined & custom reports
Favorite reports
Troubleshooting Reports & tools
Standard Log Data Storage (1 month data age-out)
Advanced Monitoring & Reporting License Features
Alarms
Define conditions and thresholds to generate alarms
Display of alarms in Monitoring Dashboard
Session Directory
Directory of all sessions, showing key data (username, MAC address, IP address, session identifier, NAD, port, policy decision, posture, etc).
AAA Accounting start/stop for session start/stop
Troubleshooting Tools
Connectivity tests (ping/nslookup/traceroute) on any device
Extended Log Data Storage (up to 1 year data age-out)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 44
ACS 5.0: Reports
Authentication
Authentication summary, failed authentication summary, MAC authentication reports, access service authentication reports
AAA
RADIUS/TACACS+ authentication and accounting ,TACACS+ authorization
Health/Operations Status
Diagnostics, health summary
ACS Administration
Administrator logins, configuration changes
Command Audit
Command audit by user/device, command authorization by user/device
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 45
Authentication Report Details
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 46
ACS 5: Session Directory Report
Reports details of RADIUS & TACACS sessions
Active, History and Lookup
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 47
ACS 5.0: Alarm Types *
Authentication activity alarms
Passed or failed authentications over a period of time
Inactivity over a period of time
Audit alarms
Command accounting, command authorization (TACACS+)
ACS configuration commands
Health alarms
ACS system process, metrics
AAA throughput
RADIUS traffic volume
* Advanced Monitoring & Reporting License
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 48
ACS 5.0 Alarms*
* Advanced Monitoring & Reporting License
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 49
ACS 5.0: Troubleshooting Tools
Authentication Query
Displays recently used MAC addresses for any particular user and passed/failed authentication activity
Authentication Failure Code Customization*
Administrator can customize ACS failure code root cause and resolution information
Connectivity to ACS
To test connectivity and download package.cab file from server
Connectivity test*
ping / nslookup / traceroute commands
* Advanced Monitoring & Reporting License
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 50
Base License Features
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 51
Advanced License Features
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 52
Cisco Secure ACS 5.0
Deployment
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 53
ACS Distributed Deployment Consists of multiple ACS’s that are managed together
One Primary and multiple Secondary servers
All ACS instances are identical (run full ACS software version)
Each ACS can play a specific role in the deployment
Part of the functionality (AAA, Management interface, Monitoring & Reporting) could be disabled
Incremental replication model
Primary ACS is single point of configuration & to monitor secondary servers
Automatic incremental replication to Secondary servers
ACS
Secondary
ACS
Master
ACS
Secondary
ACS
Secondary
Database
downloadIncremental
Replication
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 54
Promoting a Secondary to be a Master
Each secondary could take the role of the master
Secondary promotion to be a master is manual
The master (if not failed) is stopped
Replication is allowed to complete
The promoted secondary notifies all ACS instances
On promotion the secondary interrogates all instances for their replication status ACS
Secondary
ACS
Master
ACS
Secondary
ACS
Secondary
DB Download
Incremental
Replication
X
Promoted Master
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 55
Deployment Planning
Things to consider
Form factor : Appliance vs VMWare
Number of ACS servers : Based on performance data
Location of the server
Function : AAA server, Replication server, Monitoring & Reporting Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 56
Minimum ACS Deployment
Consists of 2 servers
Primary server provides all the configuration, authentication and policy requirements for the network.
Second server used as a backup server.
Replication from primary ACS to secondary ACS to keep the secondary server in synchronization.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 57
Medium Growing ACS Deployment
As the local network grows, more Cisco Secure ACS servers need to be added to the system.
Consider promoting the primary server to perform configuration services only, using the secondary servers for AAA functions.
At this point, primary server maybe used as a centralized logging server.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 58
Larger ACS Deployment
In a large, centralized network consider the use of a load balancer. Simplifies the deployment.
Recommended to dedicate one Cisco Secure ACS server as a Monitoring and Reports server.
Dedicated logging server is recommended due to the potential high syslog traffic.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 59
Cisco Secure ACS 5.0
Migrating to ACS 5.0
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 60
ACS 4.2 or 5.0?
Check the 5.0 feature gap list here:
http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/migrate.html#wp1052549
Evaluate using the ACS 5.0 evaluation software:
Available at: http://www.cisco.com/cgi-bin/tablebuild.pl/acs5-eval
Runs on VMware Server or ESX
Requires 60Gb disk space
90 day license
Appliance investment protection
Consider purchasing 5.0 on the 1120 appliance, and then downgrading to 4.2, in anticipation of a future upgrade to 5.x
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 61
ACS 4.x Key Feature Parity Roadmap
ACS 5.0 – available now
ACS 5.1 – Q4CY09
Device Administration
RADIUS and TACACS+ device administration with privilege levels and command sets
TACACS+ change password, enable password handling, One-Time Passwords (OTP), IP/MAC filtering
Network Access
Simple auth, EAP-TLS, PEAP-MSCHAP, FAST-MSCHAP, Mac-auth Bypass
PEAP-GTC,FAST-GTC,LEAP, RADIUS proxy, custom VSAs, AD certificate comparison
Operational ACS admin roles and password policy
Advanced ACS admin policies, configuration provisioning
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 62
Migration Methodology
Establish a pilot ACS 5 server to develop the master ACS 5 configuration
This could be a lab server
Secondary ACS servers could be joined to this server, or its configuration could be restored to a production ACS 5 primary server
Migrate data and network access policy from existing AAA deployment(s) to this pilot ACS 5 server
Use ACS migration and import tools to create configuration data (users, devices,….)
Manually create the new ACS 5 network access policy and other configuration areas not addressed by tools
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 63
ACS 5.0 Migration and Import Tools
ACS 5.0 Migration Tool
Analyses ACS 4.x configuration data and exports key elements to ACS 5.0
Requires an ACS 4.x for Windows lab machine to import existing 4.x database and run migration tool
ACS 5.0 ships with ACS 4.x for Windows to facilitate migration
Data migrated includes users, devices, TACACS+ command sets and shell attributes, shared dACLs, EAP-FAST attributes
Import Tools
ACS 5.0 GUI User/device CSV import
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 64
Cisco Secure ACS 5.0
Licensing
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 65
ACS 5.0 Product Numbers and Pricing
Product Number
Description
CSACS-1120-K9Cisco Secure 1120 Appliance with ACS 5.0 pre-installed and base license
CSACS-5.0-IENVM-K9
Cisco Secure ACS 5.0 Virtual appliance software for VMWare ESX with base license
CSACS-5-MON-LIC=
Cisco Secure ACS 5.0 Advanced Monitoring and Reporting add-on license (enables session directory, threshold alerting, connectivity/troubleshooting tools and up to 12 months data collection)
CSACS-5-LRG-LIC=
Cisco Secure ACS 5.0 Large Deployment add-on license
ACS 5.0 will be available as an appliance or as software for VMWare ESX.
Add-on licenses apply to an ACS deployment not per server/instance. An ACS deployment is a set of replicating ACS servers/instances.
The Large Deployment add-on license is required for ACS deployments supporting more than 500 managed devices (AAA clients).
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 66
ACS 4.x to 5.0 Upgrades
Product Number
Description
CSACS-1120-UP-K9
Cisco Secure 1120 5.0 Appliance for 4.x customers
CSACS-5.0-VM-UP-K9
Cisco Secure ACS 5.0 for VMWare ESX for 4.x customers
ACS 5.0 will not run on existing ACS 111x appliance hardware. The appliance upgrade includes new 1120 appliance hardware. Customers may be required to return existing device or provide certificate ofDestruction
Add-on licenses described in the previous slide apply to the upgrade products as well
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 67
Cisco Secure ACS Service Offerings
Software Application Support (SAS) is offered for all ACS versions
SAS includes ACS software patches, maintenance releases and minor revisions
SMARTnet service is offered for the appliance hardware support
Both SAS and SMARTnet is required for full ACS 5.0 support coverage
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 68
Cisco Secure ACS 5.0
More Information
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 69
More Information
ACS 5.0 home page
http://www.cisco.com/go/acs
ACS 5.0 documentation
http://cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html
ACS 4.2 and 5.0 comparison
http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/migrate.html#wp1052549
Contact the ACS marketing team
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 70
Summary
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 71
Summary
ACS 5.0 delivers a next-generation platform for network access and identity control
Linux-based platform
New and user-friendly graphical user interface
Powerful and flexible policy model
Integrated and enhanced troubleshooting, monitoring and reporting functionality
Robust deployment architecture
Migration requires careful planning
Understand 5.0/5.1 feature list
Download 5.0 evaluation
Consider the 1120 appliance platform even if remaining on 4.2
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 72
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 73