User Directories and Campus Network Authentication - A Wireless Case Study

Similar documents
RADIUS Grows Up. Identity Management for Networks Secure IT Sean Convery Identity Engines

Identity Management for Networks

Integrating Meraki Networks with

Cisco Network Admission Control (NAC) Solution

Enterprise Guest Access

Cisco Securing Cisco Wireless Enterprise Networks (WISECURE) Download Full Version :

Identity Based Network Access

Managing NCS User Accounts

Network Segmentation Through Policy Abstraction: How TrustSec Simplifies Segmentation and Improves Security Sept 2014

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1

Managing WCS User Accounts

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

2012 Cisco and/or its affiliates. All rights reserved. 1

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

The Aruba S3500 Mobility Access Switch

802.1X: Port-Based Authentication Standard for Network Access Control (NAC)

Case Study Captive Portal with QR Code authenticator assisted

BYOD with Ruckus. Introduction. Strong Security with Dynamic Pre-Shared Key

Wireless Network Security

Module Overview. works Identify NAP enforcement options Identify scenarios for NAP usage

5 Tips to Fortify your Wireless Network

Enterasys Network Access Control

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Securing Cisco Wireless Enterprise Networks ( )

Introduction to 802.1X Operations for Cisco Security Professionals (802.1X)

Wireless Client Isolation. Overview. Bridge Mode Client Isolation. Configuration

What Is Wireless Setup

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Cisco TrustSec How-To Guide: Phased Deployment Overview

Managing WCS User Accounts

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Cisco NAC Network Module for Integrated Services Routers

Ten Reasons your RADIUS Server Needs a Refresh:

Layer 2 authentication on VoIP phones (802.1x)

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

Basic Wireless Settings on the CVR100W VPN Router

Network Configuration Example

ARUBA CLEARPASS POLICY MANAGER

Cisco Identity Services Engine (ISE) Mentored Install - Pilot

Cisco TrustSec How-To Guide: Monitor Mode

Solution Architecture

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

P ART 3. Configuring the Infrastructure

Business Guest WiFi Access the Easy Way

Security & Management for your wireless LANs. Bluesocket Wireless Gateways

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Wireless LAN Controller Web Authentication Configuration Example

The Context Aware Network A Holistic Approach to BYOD

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

802.1x Port Based Authentication

Wireless LAN Solutions

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Network Access Control: A Whirlwind Tour Through The Basics. Joel M Snyder Senior Partner Opus One

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Cisco Exam Questions & Answers

Pulse Policy Secure X Network Access Control (NAC) White Paper

Manage Authorization Policies and Profiles

Aruba Certified Clearpass Professional 6.5

Aerohive Private PSK. solution brief

Cisco CCIE Wireless Beta Written. Download Full Version :

NNTF12_51 SIMPLY CONNECTED IN ACTION : AN OVERVIEW OF DIFFERENT USE-CASES. Tim McCarthy

Cisco Questions & Answers

Waterloo School District Wireless Network Infrastructure Project Additional Information

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Networks with Cisco NAC Appliance primarily benefit from:

Wireless and Network Security Integration Solution Overview

Manage Authorization Policies and Profiles

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Secure wired and wireless networks with smart access control

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Cisco Wireless LAN Controller Module

Cisco Meraki Wireless Solution Comparison

Standard For IIUM Wireless Networking

802.1X: Background, Theory & Implementation

Exam Questions Demo Cisco. Exam Questions

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Cisco TrustSec How-To Guide: Central Web Authentication

Cisco Exam Questions & Answers

Boosting Business Development with Citywide Wireless Access

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Introducing Cisco Identity Services Engine for System Engineer Exam

Aruba ACMP. Aruba Certified Mobility Professional

Bring Your Own Design: Implementing BYOD Without Going Broke or Crazy. Jeanette Lee Sr. Technical Marketing Engineer Ruckus Wireless

Cloudpath and Aruba Instant Integration

Borderless Networks. Tom Schepers, Director Systems Engineering

Cisco Unified Wireless Network Solution Overview

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

USP Network Authentication System & MobileIron. Good for mobile security solutions

LANCOM Techpaper Advanced Routing and Forwarding (ARF)

Aerohive Configuration Guide RADIUS Authentication

CertKiller q

TITLE GOES HERE RUCKUS CLOUDPATH ENROLLMENT SYSTEM. The only integrated security and policy management platform that delivers: COMPRISED OF:

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

CENTRAL AUTHENTICATION USING RADIUS AND 802.1X

Mobility Optimized Access Layer

Technology Solution Guide

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Transcription:

User Directories and Campus Network Authentication - A Wireless Case Study Sean Convery Identity Engines Kevin Jones Metropolitan Community College

Agenda Role-based Access Control About MCC Wireless project Goals Wireless Hardware Authentication Setup Future Plans 2

Identity Engines Solutions Headquarters Industry Identity-centric Access Control for Networks Sunnyvale, CA Education, Enterprise, Government, Healthcare 3

A History Lesson Distributed Expanded threat profile leads to more security devices (IDS, VPN, Basic Host Controls). Legacy RADIUS[5] serves authentication requests but lacks richness for authorization policy. Most access IP rather than user based. Traditional perimeter firewall; security only on special purpose devices Enforcement Enforcement Authorization Policy Distribution of security continues, with authorization tied closely to enforcement. Lack of flexibility of legacy AAA leads to multiple discreet RADIUS stores and local users configured in enforcement devices. Enforcement Authorization Policy Authentication Policy Enforcement Centralized 4 The goal: 1. Centralize user authentication through flexible next-generation AAA services. 2. Centralize key elements of the authorization policy creating centralized audit and control. IdM Phase 2 IdM Phase 1 Authentication Policy Authorization Policy Authorization Policy Authentication Policy Authentication Policy Time

Network Security Evolved IT departments are now required to support more kinds of users, with more types of devices, connecting to a wider variety of network access points all while being exposed to an unprecedented degree of regulatory and audit oversight Traditional device-centric IP-based security techniques are inadequate to meet this new reality Role of the traditional inline security gateway is diminishing Organizations are turning to role-based access control (RBAC) as the new unified network security approach Supports multiple user types with multiple access profiles Addresses compliance requirements Leverages identity to integrate with the network infrastructure directly 5

Role Based Access Control Client Client - Device / user attempting to access the network Policy Enforcement Point (PEP) - network device that brokers access request and enforces policy result (i.e. WLAN AP, Firewall, VPN gateway, Ethernet switch) PEP Acct. PIP Policy Decision Point (PDP) - network device that decides policy for client based on PEP and PIP interaction PEP PDP PIP Policy Information Point (PIP) - a source of information in setting policy (i.e. user directory, asset management system) PEP PIP Accounting - Audit destination for client access and network usage Production Network 6

RBAC Example - Secure Wireless Guest Admin(s) Guest Manager User Directory (Employees only) Guest Internet Web Auth AAA 802.1X Auth Internal Network Contractor 802.1X Auth Finance Network Finance Employee All WLAN Access is authenticated enabling user audit and differentiated access Dynamic VLAN assignment segments the traffic with enforcement via ACLs Guests can be forced to the Internet only, contractors can be given restricted internal access, privileged employees can see sensitive areas Guest access is fully audited rather than open 7

Secure WLAN, 802.1X, and RBAC RBAC via 802.1X is the core component of secure WLAN Policy Server need to support rich policies and heterogeneous network gear There is more to 802.1X than basic RADIUS Directory Connectivity must leverage LDAP for user accounts and groups/attributes Supplicant Management 802.1X client configuration requires automation to ensure a supportable infrastructure Legacy Support portal solutions for outdated portions of the network and for guest access 8

Metropolitan Community College Seven Campuses serving the greater Kansas City area. Our database contains over 123,000 users. For the fall 2007 semester we have 18,124 active credit students.* Add non-credit classes and MCC has over 43,000 students each year.** *http://www.mcckc.edu/research/factbooks/mcc_fall_factbook.pdf **http://www.mcckc.edu/home.asp?qlinks=history+of+the+district 9

Our Locations Seven Campuses located around the greater Kansas City area. 10

Old Wireless Setup Consisted of SOHO wireless routers spread throughout the district. Mainly just covering the libraries and cafeterias Each one had to be managed individually Open access (no security) Unreliable 11

New Wireless Goals Expand coverage Improve Reliability and Security Easier to manage Authentication to Novell edirectory Provide Wireless Internet without compromising the normal network Did not want to load any software onto Students or Guest computers Needed and easy way to create and manage guest users that was separate from Novell edirectory 12

Wireless Hardware Cisco Wireless Control System One Wireless Control Server for the district One Wireless LAN Controller for each location (6 total) As many lightweight access points needed to cover the needed areas Each campus has a fire-walled private network dedicated for wireless The WCS system can use access-lists, but by itself can only assign an access-list per SSID 13

Cisco WCS Hierarchy WCS Server: Central Management Templates and Policies Ignition Server: Authentication Wireless Controllers: Manages Lightweight Access points DHCP for local private network Where the Access List is applied to the wireless user Rouge Detection Lightweight Access Points and Clients: Completely dependent on the controller 14

LINK SERVICE ACT STATUS PS 1 ALARM PS 2 LINK ACT LINK ACT CO NSO LE UTILITY 1 2 3 4 LINK ACT WCS Campus Level Internet Public IP Firewall V L AN 2 48 C isco 4400 Series Access Points VLAN 248 LWA P Laptop WIR ELESS LA N C O N TR O LLER Wireless MODEL 4404 100 AP Controller Clients PEAP/ MSCHAPv 2 15

Authentication Goals Needed to use LDAP to connect to the Novell edirectory for user authentication Needed to give different levels of access to different groups Certain staff and faculty need full network access, while students and guests should only get basic Internet 16

Working out the Details We were committed to using Cisco wireless hardware and Novell s Identity Manager We just needed to get them to work together Tried Cisco s Access Control Server (ACS) Tried FreeRadius Finally ended up using Identity Engines Ignition Server 3000E 17

Identity Engines Advantages Easiest to connect to Novell Identity Manager Easy to setup initially Could tell the Cisco System which ACL at the user level Provides many other options we may use in the future We felt it was a RADIUS solution that could meet all of our needs 18

Identity Engines Setup First create your service categories Next create any outbound values you need Lastly create policies 19

20 Creating an Outbound Value

21 Triggering an ACL

Ignition Server Setup After you have your service categories and attributes setup you can set up your groups These are just the groups from the Identity Engines embedded database not the Novell Identity Manager groups 22

23 Directory Hierarchy

Policy Management Once you have your attributes and groups set up you can then create your policies 24

25 Authorization Rules

Creating an Authenticator Once your policies are set you need to set up the Authenticators The Authenticator is the actual device making the radius request. At MCC the authenticators are the Cisco Wireless Controllers 26

LINK SERVICE ACT STATUS PS 1 ALARM PS 2 LINK ACT LINK ACT CO NSO LE UTILITY 1 2 3 4 LINK ACT WCS Campus Level Internet Public IP Firewall V L AN 2 48 C isco 4400 Series Access Points VLAN 248 LWA P Laptop WIR ELESS LA N C O N TR O LLER Wireless MODEL 4404 100 AP Controller Clients PEAP/ MSCHAPv 2 27

Example Access List There is an explicit deny rule that will automatically block anything not permitted by a rule. In this way we manually create an rule for permitted traffic and everything else is automatically blocked. We can have as many access lists as we need and each group can have their own unique access list. We rely on the Ignition Server to tell the wireless controllers which access list to use for each authenticated user. 28

Guests Guests are managed separately from Novell Identity Manager We use Identity Engines Guest Manager software for all Non-MCC users Guest Manager is a software suite that integrates with Ignition Server It even allows different levels of access to Provisioners. Different Provisioners can grant different levels of access to the guest users they create 29

Ignition Guest Manager This image shows the options available when creating an provisioner The Access Types are equivalent to the groups and policies you created for them on the Ignition Server 30

31 Adding a Guest User

32 Client Setup - WinXP

33 Client Setup - Mac

Issues At first could not get Vista to authenticate IDE updated the software on the Ignition server to accommodate Vista Older hardware/software combinations may not support WPA and RADIUS 34

Future Projects Now that the Ignition Server is in place and connected to Novell edirectory we can use it for all of our future RADIUS needs VPN Wired 802.1X : Some wired ports are in public areas. We plan on implementing 802.1X so that we can leave them active and control access to the normal wired network. 35

Summary Wireless users of Metropolitan Community College authenticate to Novell Identity Manager and Identity Engines Ignition Server in order to be granted access to a secure Cisco Wireless system. The Students love having wireless district wide. The Feedback has been overwhelmingly positive. Both speed an reliability has been greatly improved. Netflow reports show an almost complete drop in in unwanted traffic. 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback