Escolar Documentos
Profissional Documentos
Cultura Documentos
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Policy-Based Network
Access Interfaces
BRKDEV-1071
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Interfaces
Attribute Sources
AD user ID
Network Identity
Location Policy Administration Information Collection/View
and
Posture Access Policy
LDAP attributes
… Policy Decision Points
Interfaces
Policy Enforcement
(Network Devices)
Remote Access Device CLI/Network Mgmt Wireless Wired
Users and
Devices
Home or Road Network Campus Guest Networked
Branch Office Warrior Operator User User Device
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Requirements
Interoperability and nimbleness to manage
and enforce dynamic business policies
Federation among different policy domains
Information must be available and shared
Why a Platform?
Provides encapsulation of information and services
Enables extensibility and integration via interfaces
Access Monitoring
Configuration Session
Request Troubleshoot
Operation Directory
Processing Reporting
ACS Functional Components
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Provisioning
Monitoring Access
Attribute assertion
Troubleshoot Request
Monitoring/troubleshooting Reporting Processing
ACS
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Example Scenarios
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Scenario: Network/Application-Integrated
Access Control
ACME Corp does not allow 7) Attributes
3) Session
Assertion
VPN access to sensitive 6) Policy Attribute caching
financial data—in fact, the Evaluation
connection must be over a Application
wired switch port, and the ACS
Policy
network access must have
used an RSA SecurID token
5) Policy Decision
The finance Web application Request
gets real-time session
Web App 2) Access
information from ACS Request
(strength of authentication,
and connection type: wired, 4) Application
Resource Access
wireless, VPN, etc.)
The Web application 1) Network
developer uses the ACS Access
User
attribute assertion web service
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Summary
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
More Info:
www.cisco.com/go/acs
Matt Hur: mhur@cisco.com
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Q and A
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24