Cisco Identity Based Networking Services 2.0 At-a-Glance
Cisco Identity Based Networking Services 2.0 At-a-Glance
© 2014 Cisco Systems, Inc. and/or its affiliates. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
At-A-Glance
Configuring the C3PL policy from the foundation may seem challenging given A service template is applied to sessions through its reference in a control policy,
the various options with which the command set is equipped. To ease this effort, through RADIUS CoA requests, or through a user profile or service profile. Service
Cisco IOS® Software provides a conversion tool that migrates the existing identity templates also can be downloaded from the RADIUS server or configured locally on
configuration commands on the port to the new policy-mode configurations (Figure 2). the device through the Cisco IOS Software command-line interface (CLI).
Figure 2 Identity Control Policy Configuration
Main Use Cases
Concurrent Authentication
EVENT
CLASS Cisco IBNS 2.0 allows the concurrent operation of IEEE 802.1X, MAB, and web
ACTION Defined under authentication methods, making it possible to invoke multiple authentication methods
class-map in parallel for a single subscriber session. This capability allows the client-supported
EVENT command
method to be completed at the earliest opportunity without the delays associated with
CLASS
ACTION serialization.
Defined under Critical ACL After AAA Failure
POLICY policy-map
command Connectivity to the policy server is fundamental for successful network access. If the
AAA and RADIUS server infrastructure becomes unavailable because of a failure or
Applied with
service-policy unreachable because of network connectivity problems, the network authenticators
command (switches) may not be able to authorize the end user. Critical VLAN authorization is a
INTERFACE remedy that gives the endpoints limited access to the network during an AAA server
failure.
Service Templates A common practice for port authentication is to authorize the user with VLAN and ACL
A service template contains a set of service-related attributes or features, such as assignments. This type of access permission allows both network segmentation and
access control lists (ACLs) and VLAN assignments, which can be activated for one or access control from the enterprise edge. However, the ACL authorization infrastructure
more subscriber sessions in response to session lifecycle events. Templates simplify requires a pre-authorization ACL to be applied to the port prior to an access session.
the provisioning and maintenance of network session policies in which policies are This requirement prevents the use of critical authorization, in which the user can be
divided into distinct groups or are role based (Figure 3). given access to a critical VLAN, because the port ACL will block the user’s traffic
Figure 3 Service Template at ingress to the access network. A comprehensive solution is needed that both
authorizes the user with an appropriate VLAN assignment when the AAA infrastructure
POLICY-MAP TYPE CONTROL SUBSCRIBER X fails and authorizes an ACL assignment, thereby unblocking the port for access.
EVENT <SUBSCRIBER SESSION EVENT>
CLASS <EVENT CLASSIFICATION> The service template and the identity control policy offer options to meet these
ACTIVATE SERVICE-TEMPLATE
requirements. A service template can contain IP ACL and VLAN definitions that can be
activated during session events (Figure 4).
ACCESS-LIST TIMERS
SERVICE-TEMPLATE
© 2014 Cisco Systems, Inc. and/or its affiliates. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
At-A-Glance
© 2014 Cisco Systems, Inc. and/or its affiliates. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C45-731544-01 4/14