The Cisco Identity-Based Networking Services (IBNS) solution offers cost-effective user/device management, flexibility and mobility, and reduced operating costs associated with granting and managing access to security network resources. Cisco IBNS provides an important addition to the tools available for securing the network.
Cisco IBNS is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network access and resources. The IBNS solution extends network access security based on the 802.1x technology and the Extensible Authentication Protocol (EAP). The IBNS solution provides identity-based network access control and policy enforcement at the port level.
The Cisco IBNS technology solution provides the security of physical and logical access inside the LAN. Cisco IBNS integrates all the capabilities defined in 802.1x technology. Combined with 802.1x technology, Cisco IBNS provides an integrated solution to implement identity-based network access control and policy enforcement at the port level. With IBNS, identification of both users and machines is possible through secure authentication technologies. The solution allows granular control in which policies are associated dynamically on network devices based on a user or device identity.
Cisco IBNS offers scalable and flexible access control and policy enforcement services and capabilities at the network edge as follows:
Authentication based on per-user or per-device
Policies mapped to network identity
Port-based network access control based on authentication and authorization policies
Additional policy enforcement based on access level, such as resource access
These services and capabilities are available when a Cisco end-to-end system is implemented.
As mentioned earlier, Cisco IBNS integrates all the capabilities defined in 802.1x technology. Additionally, Cisco IBNS solution offers specific services that are beyond the traditional 802.1x services. Examples include
VLAN assignment
Tied to port security
Voice VLAN ID
Guest VLAN
ACL assignment
High availability with redundant supervisors
Cisco IBNS solutions based on the 802.1x technology include the following components:
Cisco Catalyst family of switches
Wireless LAN access points
Cisco Secure Access Control Server (ACS)
IEEE 802.1x compliant client, such as the Windows XP operating system
Optional X.509 PKI certificate architecture
Interoperation of Cisco IP phones when deployed on a Cisco end-to-end infrastructure
The solution works when IEEE 802.1x-compliant client software is configured on the end device, sending requests to the Cisco Catalyst switches running IEEE 802.1x features. The switch relays the authentication request from the user or device to the back-end Cisco Secure ACS security server. The basic communication between these devices is in compliance with the IEEE 802.1x standard.
The Cisco Secure ACS server is a key component of the Cisco IBNS architecture.
As mentioned earlier, Cisco IBNS is primarily a security standard for port-based access control that combines the IEEE 802.1x and the EAP to extend security AAA inside the LAN.
Before IBNS solutions were available, network access control was possible only at the perimeter of the network. Similarly, prior to 802.1x technology, decentralized methods of MAC existed, such as port security on the switches and MAC address filtering on the access points. However, these methods were configured statically on the devices themselves. (They had to be changed and updated individually on each port or device.) Cisco IBNS offers a centralized solution using the Cisco Secure ACS server and is dynamically updated.
With Cisco IBNS architecture, policy enforcement and control (such as per-user quotas, VLANs, ACLs, and identity-based session accounting and auditing) are possible within the internal LAN segment.
Several additional features are available through the Cisco Secure ACS as the 802.1x authentication server, such as
Time and day restrictions
NAS restrictions
MAC filtering
Per user/group VLAN assignment
Per user/group ACL assignment
The Cisco Catalyst switches or wireless access point (AP) can be enabled as RADIUS clients, to make them capable of querying a AAA server for these controls.
Cisco Secure ACS RADIUS server supports internal user database and external database sources such as Microsoft Active Directory, Novell NDS, and Lightweight Directory Access Protocol (LDAP). The external database support provides the flexibility and scalability of integrating into the existing user database structure, thereby simplifying the overall deployment.