BRKDEV-1071

14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1

Policy-Based Network
Access Interfaces

BRKDEV-1071

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved. 1

Presentation_ID.scr
 Business Policy
Policy Is SharedProtect
Across
“Be Secure.
Our IP.
Domains
Be SOX-Compliant.”

Facilities Policy Computer Policy Application Policy Network Policy

“Laptops Locked to Desk. “Virus Protection. “Separation of Duties. “Network Segmentation.

One Entry per Badge Swipe. Personal Firewalls. Role-Based Access. Wired/Wireless Restrictions.
No Tailgating.” OS Patched Up to Date.” Strong Authentication.” Intrusion Detection.”

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

Identity and Access Policy

Application
and
OS Policy
Desktop/OS Policy Web
Application Policy

Interfaces
Attribute Sources
ƒ AD user ID
Network Identity
ƒ Location Policy Administration Information Collection/View
and
ƒ Posture Access Policy
ƒ LDAP attributes
ƒ … Policy Decision Points
Interfaces
Policy Enforcement
(Network Devices)
Remote Access Device CLI/Network Mgmt Wireless Wired

Users and
Devices
Home or Road Network Campus Guest Networked
Branch Office Warrior Operator User User Device
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved. 2

Presentation_ID.scr
 Identity and Access Policy
A Platform Approach

Requirements
ƒ Interoperability and nimbleness to manage
and enforce dynamic business policies
ƒ Federation among different policy domains
ƒ Information must be available and shared

Why a Platform?
ƒ Provides encapsulation of information and services
ƒ Enables extensibility and integration via interfaces

Identity and Access Policy Platform =

Cisco® Secure Access Control System (ACS)
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Functional Components and Interfaces

Authentication and Configuration
Identity Reports
Attribute Assertion Event Reporting
LDAP, AD, Statistics
ACS Asserts on
Web Services/SAML
Read/Modify Web Services Authentication Status
Scripting and Network Session
Policy Data Attributes: Location,
Access Type, etc.
Web Services/SPML
Web Services/SAML
Scripting

Access Monitoring
Configuration Session
Request Troubleshoot
Operation Directory
Processing Reporting
ACS Functional Components
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved. 3

Presentation_ID.scr
 Interfaces—Functions
and Protocols

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Programmatic Interfaces Architecture

ƒ Web services
HTTPS/SOAP/XML
WSDL (Web Services Description
Language)—describes the ACS
objects, their attributes, and
methods
Scripting
Availability of tools (e.g., Axis)
Web Services GUI
ƒ Scriptability
Ability to use scripting languages
such as Perl to simplify automation Session Configur.
Directory
ƒ Interface categories Operation

Provisioning
Monitoring Access
Attribute assertion
Troubleshoot Request
Monitoring/troubleshooting Reporting Processing
ACS

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved. 4

Presentation_ID.scr
 Provisioning Interface

ƒ SPMLv2 (Services Provisioning Markup Language)—

OASIS specification for provisioning interfaces
ƒ SPML defines methods that apply to ACS objects
Add, lookup, modify, delete, search, listTargets
Defines the way to identify objects, handle associations and
capabilities
Does not dictate the service structure—it is a markup language

ƒ XACML for policy object model

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Attribute Assertion Interface

ƒ SAML—OASIS speciation for attribute assertion

interface
Concepts and WSDL examples

ƒ ACS SAML profiles define

Web service binding
Representation of principals, identity, and their attributes
ACS dictionaries define available attributes for assertion

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved. 5

Presentation_ID.scr
 Monitoring and Troubleshooting
Interface

ƒ Retrieve log events

Per criteria: time, user, etc

ƒ Remote execution of reports

ƒ Registration and notification for alerts

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Example Scenarios

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved. 6

Presentation_ID.scr
 Scenario: Automating Common Tasks

ƒ Sam the ACS admin wants to automate the process of

entering new devices into ACS; this saves time, allows
others to add devices, and minimizes errors
ƒ He needs to do the following:
Enter device name
Device IP addresses
Shared secret for RADIUS/T+
Associate the device to appropriate device group based on
geography

ƒ Sam is accustomed to using the ACS GUI, and he

wants to quickly set up a simple Perl script for adding
devices
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Scenario: Integration with

Enterprise System
ƒ “Enterprise” has a device repository; each device that is being
defined on that system needs also to be defined also on ACS to
allow it to function as AAA client
ƒ In order to avoid the duplicate data entry and possible errors the IT
department would like to automate the process, such that each
device defined on the device repository system is provisioned also
to ACS with the subset of attributes that is require for ACS

Enterprise Device Device Repository

Repository Administrator
Cisco Secure
ACS

Provisioning over Enterprise Setting

ACS DB
Web Services Device DB Device Data

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved. 7

Presentation_ID.scr
 Code Walkthrough

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

Scenario: Helpdesk Automation

ƒ When users are unable to access a
resource (perhaps an application) they
call the helpdesk; in order to troubleshoot,
the helpdesk operator first needs to
determine if the problem has to do with
network access
ƒ The help desk team develops a script in
order to automate common network
access troubleshooting tasks
ƒ The administrator invokes the script with
the user name; the script runs three
different call over the ACS programmatic
interfaces
Get Session data—Is the user connected to the
network?
Get logged event—Were there any errors during ACS
session establishment?
Policy data—What authorizations were granted to
the user?
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved. 8

Presentation_ID.scr
 Code Walkthrough

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Scenario: Network/Application-Integrated
Access Control
ƒ ACME Corp does not allow 7) Attributes
3) Session
Assertion
VPN access to sensitive 6) Policy Attribute caching
financial data—in fact, the Evaluation
connection must be over a Application
wired switch port, and the ACS
Policy
network access must have
used an RSA SecurID token
5) Policy Decision
ƒ The finance Web application Request
gets real-time session
Web App 2) Access
information from ACS Request
(strength of authentication,
and connection type: wired, 4) Application
Resource Access
wireless, VPN, etc.)
ƒ The Web application 1) Network
developer uses the ACS Access
User
attribute assertion web service
BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved. 9

Presentation_ID.scr
 Code Walkthrough

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Summary

ƒ Numerous policy systems will exist in enterprise

environments
ƒ Next-generation identity and access policy platform
(Cisco Secure Access Control System) provides
interfaces for integrating as part of your business
environment
ƒ ACS interfaces leverage open standards
(Web services, XML, SPML, XACML, SAML)

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved. 10

Presentation_ID.scr
 Call to Action

ƒ Evaluate your automation requirements for network

identity and access policy
ƒ Investigate how your network access can more cleanly
fit as part of your enterprise defense in depth strategy
ƒ Learn more about Cisco’s “Identity-Enabled Networks”
solution

More Info:
ƒ www.cisco.com/go/acs
ƒ Matt Hur: mhur@cisco.com

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

Q and A

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved. 11

Presentation_ID.scr
 Recommended Reading

ƒ Continue your Cisco Live

learning experience with further
reading from Cisco Press
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Complete Your Online

Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.

BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006, Cisco Systems, Inc. All rights reserved. 12

Presentation_ID.scr
 BRKDEV-1071
14620_05_2008_x1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

© 2006, Cisco Systems, Inc. All rights reserved. 13

Presentation_ID.scr