Upload
markteicher
View
216
Download
0
Embed Size (px)
Citation preview
8/2/2019 CiscoIBNS Technical Review
1/48
2008 Cisco Systems, Inc. All rights reserved. 1
Introduction to IEEE802.1X and CiscoIdentity-BasedNetworking Services(IBNS)
Cisco
8/2/2019 CiscoIBNS Technical Review
2/48
2008 Cisco Systems, Inc. All rights reserved. 2
Abstract
Cisco Identity-Based Networking Services (IBNS)provides customized access control for wired LANnetworks.
Cisco IBNS is increasingly important in campus networksas enterprises look for security, visibility, and convergence
at the access edge.
Using IEEE 802.1X and supplementary technologies,Cisco IBNS is a network solution that provides the
foundation for dynamic, user-differentiated policy andadvanced network intelligence.
8/2/2019 CiscoIBNS Technical Review
3/48
2008 Cisco Systems, Inc. All rights reserved. 3
Basic Identity Concepts
What is an identity? An assertion of who we are
Allows us to differentiate between oneanother
What does an identity look like? Typical network identities include:
Username and password
Email address:[email protected]
MAC address: 00-0c-14-a4-9d-33
IP address: 10.0.1.199
Digital certificates
How do we use identities? Used to grant appropriate authorizations:
rights to services within a given domain
8/2/2019 CiscoIBNS Technical Review
4/48
2008 Cisco Systems, Inc. All rights reserved. 4
What Is Authentication and Authorization?
Authentication is the process of establishing and confirming theidentity of a client requesting services.
Authentication is useful only if used to establish correspondingauthorization (for example, access to a bank account).
I want to withdraw 200 euros please.
Do you have identification?
Yes, I do. Here it is.
Thank you. Here are your euros.
An Authentication System Is Only as Strongas the Method of Verification Used
8/2/2019 CiscoIBNS Technical Review
5/48
2008 Cisco Systems, Inc. All rights reserved. 5
Identity-EnabledNetworking
Applying the Authentication Model to theNetwork
I Want to Connect to the Network
Identification Required
Here Is My Identification
Identification VerifiedAccess Granted
8/2/2019 CiscoIBNS Technical Review
6/48
2008 Cisco Systems, Inc. All rights reserved. 6
Who are you?IEEE 802.1x (or supplementarymethod) authenticates the user
Why Is Cisco IBNS Important for the
Campus?
1
What Service Level Do You Receive?The user can be given per-user services(access control lists [ACLs] todaymore tocome)
3
What Are You Doing?The users identity and location canbe used for tracking and accounting
4
Where Can You Go?Based on authentication, user isplaced in correct VLAN
2
Keep the OutsidersOut
Keep the InsidersHonest
Personalize theNetwork
Increase Network
Visibility
8/2/2019 CiscoIBNS Technical Review
7/48
2008 Cisco Systems, Inc. All rights reserved. 7
New Business Environment DemandsIdentity
Contractors,Partners, and
Guests
Contractors,Partners, and
Guests
No Boundary for aGlobal and MobileWorkforce
No Boundary for aGlobal and MobileWorkforce
New and ChangingThreats
New and ChangingThreats
ComplianceCompliance
Accountability
for EmpoweredEmployees
Accountability
for EmpoweredEmployees
A recent Gartner survey indicates that
50% of enterprises plan to implement802.1X in their wired networks by 2011.Gartner believes that momentum will
increase strongly, and that actualenterprise adoption will reach 70% by2011.Gartner, Findings: Wired 802.1X Adoption on
the Rise, Lawrence Orans and John Pescatore,July 28, 2008
8/2/2019 CiscoIBNS Technical Review
8/48
2008 Cisco Systems, Inc. All rights reserved. 8
IEEE 802.1X: The Foundation of CiscoIBNS
TerminologyComponents
Protocols
Identification required
I Want to Connect to the Network.
Here is my identification
Identification VerifiedAccess Granted
8/2/2019 CiscoIBNS Technical Review
9/48
2008 Cisco Systems, Inc. All rights reserved. 9
IEEE 802.1X Terminology
CiscoSSC
Supplicant: IEEE 802.1XClient
Microsoft Native and Cisco
Secure Services Client (SSC)
Authenticator: Access Device Cisco Catalyst Switches and
Access Points
Authentication Server:RADIUS and AAA Server
Cisco Secure ACS and
Microsoft IAS and NPS
Back-End Database AD, LDAP
8/2/2019 CiscoIBNS Technical Review
10/48
2008 Cisco Systems, Inc. All rights reserved. 10
Alice checks out. Let Alice onVLAN 10.Success. You may now send
traffic to the network.
IEEE 802.1X Components
CiscoSSC
Who are you?
I am Alice.
Alice requests access
Tell Alice to send her passwordin encrypted tunnelSend your password in tunnel
Here is my encrypted password Alices encrypted password
SupplicantAuthenticator
Authentication Server
Layer 2 Point to Point Layer 4 Link
RELAY
Actual
Authentication
Method Is Policy
Dependent
Hi. Anybody home?
8/2/2019 CiscoIBNS Technical Review
11/48
2008 Cisco Systems, Inc. All rights reserved. 11
IEEE 802.1X Protocols
Extensible Authentication Protocol (EAP)
A flexible transport protocol used to carry arbitrary
authentication informationDefined by RFC 3748
Establishes and manages connections
Allows authentication by encapsulating various types of
authentication exchanges (EAP methods) EAP provides a flexible link layer security framework
Simple encapsulation protocol
No dependency on IP
Assumes no reordering
Can run over loss full or lossless media
Can run over any link layer (Point-to-Point Protocol [PPP], IEEE 802,etc.)
EAP over LAN = EAPoL
8/2/2019 CiscoIBNS Technical Review
12/48
2008 Cisco Systems, Inc. All rights reserved. 12
EAP Success
EAP Request:
Send Tunneled Password
EAP in Context
CiscoSSC
EAP ID Request
EAP ID Response
EAP Response: Alice
EAP Request:
Send Tunneled Password
EAP Response:Tunneled Password EAP Response:
Tunneled Password
EAP SuccessLet Alice onVLAN 10
SupplicantAuthenticator
Authentication Server
Layer 2 Point to Point Layer 4 Link
EAPoL Start
8/2/2019 CiscoIBNS Technical Review
13/48
2008 Cisco Systems, Inc. All rights reserved. 13
IEEE 802.1X ProtocolsEAP Methods
EAP methods define the credential type and authentication methodto be used
Supplicant and authentication server must support the same method
Most common credential types are passwords and X.509 certificates
Certificates often increase complexity of deployment
Method ClientCredential Basis forEncryption Main Benefit
EAP-TLS Clientcertificate
Not required Highly secure
PEAP-MSCHAPv2 Usernameand password Server-certifiedTLS tunnel Does notrequire clientcertificate
EAP-FAST PAC Server PAC Requires nocertificates
Prevalent EAP Methods
8/2/2019 CiscoIBNS Technical Review
14/48
2008 Cisco Systems, Inc. All rights reserved. 14
Factors Promoting EAP Method Enterprise security policy
Certificate authority deployment
Requirements such as two-factor authentication may promote the choice of EAP-TLS
Client support
Windows XP supports EAP-TLS, PEAP with EAP-MSCHAPv2, and PEAP with EAP-TLS
Third-party supplicants support a large variety of EAP types, but not all
Authentication server support
RADIUS servers support a large variety of EAP types, but not all
Authentication store
PEAP with EAP-MSCHAPv2 can be used only with authentication stores thatstore passwords in MSCHAPv2 format
Not every identity store supports all EAP types
Customer choice of EAP type affects every other component
8/2/2019 CiscoIBNS Technical Review
15/48
2008 Cisco Systems, Inc. All rights reserved. 15
EAP Success
EAP Request: PEAP
EAP Method (PEAP) in Context
CiscoSSC
EAP ID Request
EAP ID Response
EAP Response: Alice
EAP Request: PEAP
EAP Response: PEAPClient Hello EAP Response: PEAP
Client Hello
EAP SuccessLet Alice onVLAN 10
SupplicantAuthenticator
Authentication Server
Layer 2 Point to Point Layer 3 Link
EAPoL Start
PEAP Exchange
8/2/2019 CiscoIBNS Technical Review
16/48
2008 Cisco Systems, Inc. All rights reserved. 16
RADIUS acts as the transport for EAP from the authenticator to theauthentication server
RFC describing how RADIUS should support EAP between authenticatorand authentication server: RFC 3579
RADIUS is also used to carry policy instructions (authorization)back to the authenticator in the form of AV pairs
Usage guideline for IEEE 802.1X authenticators use of RADIUS: RFC3580
AV pairs = Attribute-value pairs
IEEE 802.1X Protocols
RADIUS
RADIUS Header EAP PayloadUDP HeaderIP Header
RADIUS Header EAP PayloadUDP HeaderIP Header AV Pairs
8/2/2019 CiscoIBNS Technical Review
17/48
2008 Cisco Systems, Inc. All rights reserved. 17
EAP Success
RADIUS Access Challenge[AVP: EAP Request: PEAP]
RADIUS in Context
CiscoSSC
EAP ID Request
EAP ID Response
RADIUS Access Request
[AVP: EAP Response: Alice]
EAP Request: PEAP
EAP Response: PEAP
RADIUS Access Request[AVP: EAP Response: PEAP]
RADIUS Access Accept[AVP: EAP Success]
[AVP: VLAN 10][AVP: VLAN 10]
SupplicantAuthenticator
Authentication Server
Layer 2 Point to Point Layer 3 Link
EAPoL Start
MultipleChallenge-RequestExchanges
Possible
8/2/2019 CiscoIBNS Technical Review
18/48
2008 Cisco Systems, Inc. All rights reserved. 18
Next SectionWired IEEE 802.1X Port-BasedAccess Deployment
8/2/2019 CiscoIBNS Technical Review
19/48
2008 Cisco Systems, Inc. All rights reserved. 19
Why Is Identity Difficult in the Wired LAN?
WLANs
Relatively new technology
Required client from the beginningNo old-technology host issues to deal with
Remote-access VPN
Relatively new technology
Required a client from the beginning
No old-technology host issues to deal with
Wired Ethernet Networks Ethernet mature technology widely deployed
Never really required authentication client
20 years of older protocols, devices, operatingsystems, and applications, most of which were builtwith the assumption of open connectivity
IEEE 802.1X in Wired Environments A change from all this
Requires prior knowledge of device capabilitiesbefore configuring access port (major operatingexpense challenge)
FlexAuth: Single-port configuration withflexible authentication technology (IEEE802.1X, MAB, and WebAuth)
802.1X open mode: Enhanced IEEE802.1X authenticator (wired switches, etc.)to address OS, protocol, and managementapplication issues
IP Telephony (IPT) integrationenhancements: MDA
Simplification of MAB
Network access point (NAC) profiler: Providesendpoint discovery and profiling
Features to Help withWired IEEE 802.1X
Deployments
8/2/2019 CiscoIBNS Technical Review
20/48
2008 Cisco Systems, Inc. All rights reserved. 20
IEEE 802.1X: The Foundation of Identity
SupplicantSupplicant(IEEE 802.1X
Client) AuthenticationAuthenticationServerServer
(CiscoSecure ACS,
Etc.)
R
ADIUS
AuthenticatorAuthenticator(Switch, Access
Point, Etc.)
EAP over LAN
(EAPoL)RADIUS
IEEE 802.1 working group standardProvides port-based access control using authentication
Defines encapsulation forEAP over IEEE 802 media:
EAPoL
Enforcement using MAC-based filtering and port-
state monitoring
8/2/2019 CiscoIBNS Technical Review
21/48
2008 Cisco Systems, Inc. All rights reserved. 21
Default Port State Without IEEE 802.1X
No visibilityNo access control
No Authentication RequiredNo Authentication Required
SwitchPort
DHCP
TFTP
KRB5
HTTP
?
User
8/2/2019 CiscoIBNS Technical Review
22/48
2008 Cisco Systems, Inc. All rights reserved. 22
Default Security with 802.1X
No visibility (yet)Strict access control
Interface Fast Ethernet 3/48
Authentication Port-Control Auto
All Traffic Except EAPoL Is Dropped
One Physical Port >Two Virtual Ports
Uncontrolled Port (EAPoL Only)
Controlled Port (Everything Else)
Before AuthenticationBefore Authentication
SwitchPort
DHCP
TFTP
KRB5
HTTP
EAPoL
?
User
8/2/2019 CiscoIBNS Technical Review
23/48
2008 Cisco Systems, Inc. All rights reserved. 23
Default Security with 802.1X
User or device is known Identity-based access control
Single MAC per port
After AuthenticationAfter Authentication
Looks theSame asWithout
IEE 802.1X
Authenticated User: Sally
Interface Fast Ethernet 3/48
Authentication Port-Control AutoHaving read your mindSally, that is true. Unless
you apply an authorization,access is wide open. Wecan restrict access with
dynamic VLAN assignmentor downloadable ACLs.
?
SwitchPort
DHCP
TFTP
KRB5
HTTP
8/2/2019 CiscoIBNS Technical Review
24/48
2008 Cisco Systems, Inc. All rights reserved. 24
Default Security: Consequences
Default IEEE 802.1X ChallengeDefault IEEE 802.1X Challenge
Devices without supplicantscannot send EAPoL
No EAPoL = No access
Offline
No EAPoL = No Access
Interface Fast Ethernet 3/48
Authentication Port-Control Auto
One Physical Port >Two Virtual Ports
Uncontrolled Port (EAPoL Only)
Controlled Port (Everything Else)
SwitchPort
DHCP
TFTP
EAPo
L
8/2/2019 CiscoIBNS Technical Review
25/48
2008 Cisco Systems, Inc. All rights reserved. 25
Simplifying IEEE 802.1X Deployments
Challenge Cisco IOS Software
EnhancementClientless device Cisco IOS Software MAB plus NAC
Profiler
Host asset
management
Cisco IOS Software IEEE 802.1X
Open mode
Operation cost Cisco IOS Software flexibleauthentication (FlexAuth)
IPT integration Cisco IOS Software MDA
Cisco IOS Software EAPoL logoffand MAB inactivity timerCisco IOS Software CiscoDiscovery Protocol host connect TLV
8/2/2019 CiscoIBNS Technical Review
26/48
2008 Cisco Systems, Inc. All rights reserved. 26
interface fastEthernet 3/48authentication port-control automab
Authenticating Clientless Devices:MAC Authentication Bypass (MAB)
Same authorizations as IEEE 802.1X (VLAN or ACL)
Requires current database of known MAC addresses
End-Point Host Dot1x and MAB
00.0a.95.7f.de.06
EAP ID Request
Fallback to MAB
Learn MAC
RADIUS
RADIUS AccessRequest: 00.0a.95.7f.de.06
RADIUS Access AcceptPort Enabled
Link Up 1
4
EAP ID Request 2
EAP ID Request 3
5
6
78
0:000:010:050:100:200:30
0:000:010:050:100:200:30
0:000:010:050:100:200:30
Timeout
Timeout
Timeout
No Response
No Response
No Response
8/2/2019 CiscoIBNS Technical Review
27/48
2008 Cisco Systems, Inc. All rights reserved. 27
MAB Limitations and Challenges
MAB requires creation and maintenance of MAC
database
Default IEEE 802.1X timeout = 90 seconds90 seconds: Default MSFT DHCP timeout
90 seconds: Default PXE timeoutCurrent workaround: Timer tuning (always requires testing)
max-reauth-req: Maximum number of times (default = 2) that the switchretransmits an EAP ID Request frame on the wire
tx-period: Number of seconds (default = 30) that the switch waits for a
response to an EAP ID Request frame before retransmittingIEEE 802.1X Timeout = (max-reauth-req + 1) * tx-period
8/2/2019 CiscoIBNS Technical Review
28/48
2008 Cisco Systems, Inc. All rights reserved. 28
NACProfilerServer
NAC Profiler Collector
SNMP DHCP
interface range gigE 1/0/1 - 24switchport access vlan 30
switchport voice vlan 31snmp-server host 10.100.10.215 ROsnmp-server enable traps mac-notificationsnmp-server enable traps snmp linkup linkdown
interface VLAN 30ip helper-address 10.100.10.215
Port, MAC Address,Organizational Unique
Identifier, and Vendor ID
Simplifying MAB Deployments: NAC ProfilerBuild MAC Database Before Deploying IEEE 802.1X
8/2/2019 CiscoIBNS Technical Review
29/48
2008 Cisco Systems, Inc. All rights reserved. 29
NAC ProfilerQuery MAC Database After Deploying IEEE 802.1X
NAC ProfilerServer
ACS
RADIUS Access Request: 00-18-f8-09-cf-d71
LDAP:00-18-f8-09-cf-d7
2
LDAPSucce
ss
3
RADIUS Access Accept4
1. IEEE 802.1X times out and switch initiates MAB.
2. Cisco Secure Access Control Server (ACS) queries Profiler database
using LDAP.3. Profiler validates MAC address.
4. Cisco Secure ACS sends MAB success.
5. Switch enables port (with optional authorization).
interface range gigE 1/0/1 - 24
switchport access vlan 30switchport voice vlan 31authentication port-control automab
00-18-f8-09-cf-d7Port Enabled
5
8/2/2019 CiscoIBNS Technical Review
30/48
2008 Cisco Systems, Inc. All rights reserved. 30
Next SectionOpen Mode
8/2/2019 CiscoIBNS Technical Review
31/48
2008 Cisco Systems, Inc. All rights reserved. 31
Open Mode (No Restrictions)Open Mode (No Restrictions)
RADIUS Accounting Logs Provide Visibility Passed and failed IEEE 802.1X/EAP
attempts List of valid dot1x capable List of non-dotx capable
Passed and failed MAB attempts List of valid MAC addresses List of invalid or unknown MAC addresses
IEEE 802.1X and MAB: Open Mode
IEEE 802.1X and MABenabled
Open mode: Enabled All traffic in addition to EAP is
allowed
TFTPDH
CP
HTTP
EAP
SwitchPort
8/2/2019 CiscoIBNS Technical Review
32/48
2008 Cisco Systems, Inc. All rights reserved. 32
IEEE 802.1X and MAB: Open Mode
Selectively Open AccessSelectively Open Access
Open mode (pin hole) On specific TCP and UDP ports Restrict to specific addresses
EAP allowed (controlled port)
Block General Access UntilSuccessful IEEE 802.1X,
MAB or WebAuth
HTTPDHCP
PXES
erver
HTTP
S
Specific
DHCP
Serve
r
EAP
TFTP
Pin Hole Explicit TCP andUDP Ports to Allow
Desired Access
8/2/2019 CiscoIBNS Technical Review
33/48
2008 Cisco Systems, Inc. All rights reserved. 33
ANYANY (Before Authentication)
6506-2#show tcam interface g1/13 acl in ippermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any
Example: Open Mode on IEEE 802.1X
Port with Access Control
Cisco Catalyst 6500Series
IEEE 802.1X*Ethernet Port
Wired EthernetEnd Points
EAPEAP
DHCPDNS
DHCPDNS
PXEPXE
Cisco SecureACS and AAA
DHCPDNS
PXEServer
SampleOpen Mode
Configurations
Slide Source: Ken Hook
* Works on FlexAuth and MDA Enabled Ports
interface range gigE 1/0/1 - 24
switchport access vlan 30switchport voice vlan 31ip access-group UNAUTH inauthentication host-mode multi-domainauthentication openauthentication port-control automab
10.100.10.116
10.100.10.117
ip access-list extended UNAUTHpermit tcp any any establishedpermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftp
(After Authentication)6506-2#show tcam interface g1/13 acl in ip
permit ip host 10.100.60.200 anypermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any
IP: 10.100.60.200
RADIUS
8/2/2019 CiscoIBNS Technical Review
34/48
2008 Cisco Systems, Inc. All rights reserved. 34
Next SectionFlexible Authentication (FlexAuth)
8/2/2019 CiscoIBNS Technical Review
35/48
2008 Cisco Systems, Inc. All rights reserved. 35
Unknown MAC AccessAccept with URLRedirect
35
Flexible AuthenticationHost Roulette
EAP1X
MABMAB
URL
One Configuration Addresses All Use Cases and AllHost Modes
Controllable Sequence of Access ControlMechanisms, with Flexible Failure and FallbackAuthorization
Choice of Policy Enforcement Mechanisms: VLAN,Downloadable per-User ACL, and URL
IEEE 802.1X Times Out or Fails
WEB
Benefit: Greater Flexibility andDeterministic Behavior
Choice of Policy Enforcement
Mechanisms: VLAN, Downloadable
per-User ACL, and URL
Choice of Policy Enforcement
Mechanisms: VLAN, Downloadable
per-User ACL, and URL
802.1XClient
ValidHostAsset
GuestUser
Employee Partner
Faculty
SubContractor
Valid MACAddress
GuestUser
802.1XClient
ValidMACAddr Known MACAccess Accept
Port AuthorizedHostChange
EAP Credentials Sent andValidatedPort Authorized
interface GigabitEthernet1/13authentication host-mode multi-domainauthentication order dot1x mab webauthauthentication priority dot1x mab webauthauthentication port -control autodot1x pae authenticatorauthentication violation restrictauthentication fallback WEB-AUTH
mab
8/2/2019 CiscoIBNS Technical Review
36/48
2008 Cisco Systems, Inc. All rights reserved. 36
Next SectionIP Telephony Integration
8/2/2019 CiscoIBNS Technical Review
37/48
8/2/2019 CiscoIBNS Technical Review
38/48
8/2/2019 CiscoIBNS Technical Review
39/48
2008 Cisco Systems, Inc. All rights reserved. 39
1. Phone learns VVID from Cisco Discovery Protocol.
2. IEEE 802.1X times out.
3. Switch initiates MAB for phones MAC.
MDA for Cisco IP Phones
1
23 Access Request: Phone MAC
Access Accept: Phone VSA
Cisco Discovery Protocol
EAP
interface GigE 1/0/5
switchport mode accessswitchport access vlan 2switchport voice vlan 12authentication host-mode multi-domainauthentication port-control autodot1x pae authenticatormab
4EAP
5
No Supplicanton Phone
SSC
6
4. Cisco Secure ACS returns Access Accept with Vendor Specific Attribute (VSA)
for phones (device-traffic-class=voice).5. Switch allows phone traffic on either VLAN until phone sends tagged packet;
then only voice VLAN traffic is allowed.
6. Asynchronously, PC authenticates using IEEE 802.1X or MAB. Authenticated
PC traffic is allowed on the data VLAN only.
8/2/2019 CiscoIBNS Technical Review
40/48
2008 Cisco Systems, Inc. All rights reserved. 40
MDA in Action
3750-1(config-if)#do sh dot1x int G1/0/5 details
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = 0014.5e42.66df
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZEDAuthentication Method = Dot1x
Authorized By = Authentication Server
Domain = VOICE
Supplicant = 0016.9dc3.08b8
Auth SM State = AUTHENTICATEDAuth BEND SM State = IDLE
Port Status = AUTHORIZED
Authentication Method = MAB
Authorized By = Authentication Server
3750-1(config-if)#do sh dot1x int G1/0/5 details
Dot1x Authenticator Client List-------------------------------
Domain = DATA
Supplicant = 0014.5e42.66df
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZEDAuthentication Method = Dot1x
Authorized By = Authentication Server
Domain = VOICE
Supplicant = 0016.9dc3.08b8
Auth SM State = AUTHENTICATEDAuth BEND SM State = IDLE
Port Status = AUTHORIZED
Authentication Method = MAB
Authorized By = Authentication Server
8/2/2019 CiscoIBNS Technical Review
41/48
8/2/2019 CiscoIBNS Technical Review
42/48
8/2/2019 CiscoIBNS Technical Review
43/48
8/2/2019 CiscoIBNS Technical Review
44/48
8/2/2019 CiscoIBNS Technical Review
45/48
2008 Cisco Systems, Inc. All rights reserved. 4545
IP Telephony Integration: Summary
Allows Cisco and Third-Party IP Phones WithoutSupplicants to be Identified and Authenticated
First-Hop Switch Snoops Protocols First-Hop Switch Proxies Requests to Authentication
Service
Customer Benefits Allows More Devices to Participate in the
Identity Network Eliminates Capital and Operating Expenses for
Upgrade and Replacement of All IP Phones
Use Case: PC Disconnect Behind an IP Phone
Inactivity Timers
Supplicant
1
2VVID
EAPOL Logoff
Cisco DiscoveryProtocolNotification
3
8/2/2019 CiscoIBNS Technical Review
46/48
2008 Cisco Systems, Inc. All rights reserved. 46
Main Points
Cisco Identity-Based Networking Services (IBNS)provides a security foundation for customers
New Cisco IBNS features simplify deployments andoperations
8/2/2019 CiscoIBNS Technical Review
47/48
2008 Cisco Systems, Inc. All rights reserved. 47
Additional ResourcesCisco IBNS Website:
http://www.cisco.com/go/ibns
Products:Cisco Catalyst 6500 Series Switches
http://www.cisco.com/go/6500
Cisco Catalyst 4500 Series Switches
http://www.cisco.com/go/4500Cisco Catalyst 3750 Series Switches
http://www.cisco.com/go/3750
Cisco Catalyst 3560 Series Switches
http://www.cisco.com/go/3560Cisco Catalyst 2960 Series Switches
http://www.cisco.com/go/2960
8/2/2019 CiscoIBNS Technical Review
48/48
2008 Cisco Systems, Inc. All rights reserved. 48