Cisco Identity Services Engine Blog Series
This is the first entry in a series of blog posts that will discuss the various facets of Cisco’s Identity Services Engine (ISE). The first topic, explored here, is wired and wireless 802.1X network authentication. In this entry, Authenticate all the things! We will review the 802.1X authentication architecture and its high-level components.
What is 802.1X?
The first thing that should be understood about 802.1X is that it is not a single thing or protocol. Furthermore, 802.1X itself is a component of an even larger system of network access controls, commonly referred to in the industry as NAC solutions. Cisco ISE is an example of one such NAC system. 802.1X is a network level authentication and authorization framework that serves as a fundamental component of any comprehensive NAC solution. This 802.1X authentication framework involves a system of hardware/software components and protocols. IP networks employ 802.1X for the purpose of requiring endpoint users and/or endpoint devices to authenticate themselves before being granted (potentially) differentiated levels of access to a wired or wireless network connection. Figure 1 below provides an illustration of the components and protocols that comprise an 802.1X architecture.
A Supplicant is a piece of software running on an endpoint. The supplicant is responsible for providing the user/device authentication credential to the authentication server. This credential is provided, by the supplicant, to the Authenticator via the Extensible Authentication Protocol (EAP). EAP is a link local protocol (meaning it is only transmitted over the direct link between two devices; an endpoint and a switch or an endpoint and a wireless AP/controller). As such, it is the authenticators role to proxy this EAP data from the supplicant to the authentication server using RADIUS encapsulation, which is a routable protocol capable of being transmitted to any reachable destination on an IP network. Authentication Servers are responsible for validating/authenticating the credential received in the RADIUS message and returning an authorization result back to the authenticator. The credential presented to the authentication server can be representative of the device or user requesting connection to the network, or in some case, both. Identity Sources are identity stores/directories that an authentication server (Cisco ISE) can use to validate authentication credentials provided by the supplicant. Additionally, they can be used to retrieve additional attributes (such as Windows Security Group membership in the case of Microsoft AD) to make decisions about what permissions the endpoint should have on the network (otherwise put --> what they are authorized to do). While Cisco ISE can host an internal user/endpoint directory, it is most common that an existing directory/identity store will be leveraged for user authentication and attribute retrieval.
In our next entry to this series, we will delve deeper into 802.1X EAP Authentication Types to get a better understanding of the authentication options (user authentication vs. computer authentication and usernames/passwords vs. certificates, etc..) available.
Written By: Dominic Zeni, LookingPoint Consulting Services SME - CCIE #26686
If you are interested in LookingPoint installing ISE into your network, feel free to contact us here!