Scribd
Upload
13 views

Session 08

The document discusses 802.1x port-based network access control, including roles, protocols, phases and Cisco Identity Services Engine (ISE) which centralizes network access control. ISE can perform posture assessment, change of authorization and enforce policies after authentication.

Uploaded by

bouzid.salim47
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

Session 08

The document discusses 802.1x port-based network access control, including roles, protocols, phases and Cisco Identity Services Engine (ISE) which centralizes network access control. ISE can perform posture assessment, change of authorization and enforce policies after authentication.

Uploaded by

bouzid.salim47
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Session 08

• 802.1x.
• An IEEE standard that is used to implement port-based access control.
• Access device will allow traffic on the port only after the device has been authenticated and authorized.
• 802.1x main roles:
• Authentication server.
• An entity that provides an authentication service to an authenticator.
• Referred to as the policy decision point (PdP).
• Cisco ISE is an example of an authentication server.
• Supplicant.
• An entity that seeks to be authenticated by an authenticator.
• For ex. a client laptop connected to a switch port.
• Authenticator.
• An entity that facilitates authentication of other entities attached to the same LAN.
• Referred to as the policy enforcement point (PeP).
• Cisco switches, wireless routers, and access points are examples of authenticators.

• 802.1x uses the following protocols:


• Extensible Authentication Protocol (EAP).
• An authentication protocol used between the supplicant and the authentication server to transmit authentication
information.
• EAP over LAN (EAPoL).
• Used to encapsulate EAP packets to be transmitted from the supplicant to the authenticator.
• RADIUS or Diameter.
• The AAA protocol used for communication between the authenticator and authentication server.

SCOR Page 1

• The 802.1x port-based access control includes four phases.


• Session initiation.
• Either by the authenticator or by the supplicant.
• Session authentication.
• The authenticator extracts the EAP message from the EAPoL frame and sends a RADIUS Access-Request to
the authentication server.
• Session authorization.
• If the authentication server can authenticate the supplicant, it will send a RADIUS Access-Accept to the
authenticator with additional authorization information.
• Session accounting.
• This represents the exchange of accounting RADIUS packets between the authenticator and the authentication
server.

• VLAN ACL (VLAN map).


• Used to limit the traffic within a specific VLAN.
• Can apply a MAC access list, a Layer 3 ACL, and a Layer 4 ACL to the inbound direction of a VLAN.

• Security Group Based ACL.


• ACL that implements access control based on the security group assigned to a user

• Downloadable ACL.
• An ACL that can be applied dynamically to a port.

• CISCO IDENTITY SERVICES ENGINE (ISE).


• The centralized AAA and policy engine solution from Cisco.
• Centralizes network access control for wired, wireless, or VPN users.
• Network monitoring and reporting.
• Security posture.
• Network visibility and host identification by profiling
• Simplifies the experience of guest users
• Great support for bring-your-own-device (BYOD)

SCOR Page 2
• Great support for bring-your-own-device (BYOD)
• Leverages Cisco TrustSec technology.

• Supports TACACS+ and RADIUS AAA services, as well as integration with Duo

SCOR Page 3

SCOR Page 4
SCOR Page 5
• ISE can enforce policies (also known as authorization) after performing authentication.

• Posture assessment.
• A set of rules in a security policy that define a series of checks before an endpoint is granted access to the
network.
• Include the installation of operating system patches, host-based firewalls, antivirus and anti-malware software,
disk encryption, and more.

SCOR Page 6
• Change of Authorization (CoA).
• Allows a RADIUS server to adjust an active client session.

• CONFIGURING RADIUS AUTHENTICATION


• RADIUS authentication is used in multiple scenarios: Remote Access VPN, Secure Network Access, 802.1x,
and more.
• The default behavior of 802.1X is to deny access to the network when an authentication fails.
• There are multiple methods of authentication on a switch port:
• 802.1X (dot1x)
• MAB
• WebAuth

• The default behavior of an 802.1X-enabled port is to authorize only a single MAC address per port.
• Multi-Auth mode allows virtually unlimited MAC addresses per switch port, and requires an authenticated
session for every MAC address.

SCOR Page 7
session for every MAC address.

• When you first register a Cisco ISE node as a secondary node, full replication starts automatically.
• Then incremental replication is performed on a periodic basis.

SCOR Page 8

You might also like