Table Of Contents
Cisco Secure Services Client and CTA 802.1x Wired Client Comparison
Comparing SSC and CTA 802.1x Wired Client Supplicant Functions
Method of Creating a Deployment Package
Creating New Network Connections
Automatic User Connection is Configurable
Pre-Windows-Logon User Authentication
Storage Options for User Credentials
Configuring EAP-FAST Connection Settings
Use Smartcard-based Client Certificates Only
Comparing SSC and CTA 802.1x Wired Client Supplicant User Interfaces
SSC Wired and Wireless License Information
Configuring User and Machine Credentials
Configuring Client Authentication Settings
Configuring Trusted Server Validation and Rules
Configuring Authentication Retry Settings
Cisco Secure Services Client and CTA 802.1x Wired Client Comparison
This chapter compares the functions, interfaces, and methods of configuration used by the Cisco Secure Services Client (SSC) and the CTA 802.1x Wired Client.
This chapter contains these sections:
•
Comparing SSC and CTA 802.1x Wired Client Supplicant Functions
–
–
–
–
–
–
–
•
–
–
–
–
–
Comparing SSC and CTA 802.1x Wired Client Supplicant Functions
Method of Creating a Deployment Package
SSC's deployment package is a digitally signed and encrypted XML file which defines the authentication requirements for the client and defines the amount of control a user has over the SSC interface.
The XML file is created by the administrator using an XML editor. It is parsed, encrypted, and signed using administrative utilities provided with the downloaded software. After the distribution package has been created, it is compiled in the SSC installation file. When SSC is installed, the deployment package is installed at the same time.
The CTA 802.1x Wired Client deployment package consists of two XML files which define the authentication requirements for the client. The user is given minimal control over the CTA 802.1x Wired Client interface by default.
CTA 802.1x Wired Client administrators create the authentication profile XML files using a wizard which guides them through the creation process. Unlike Cisco Secure Services Client, the CTA 802.1x Wired Client authentication profile XML files are not recompiled into the CTA 802.1x Wired Client installation file; they are distributed separately.
Creating New Network Connections
SSC can be configured to allow users to create new network connections. This provides flexibility for those users who move their computers out of the enterprise network and into home or travel networks. SSC can also be configured to prevent users from creating networks. This configuration is meant for computers that will only access networks within your enterprise.
CTA 802.1x Wired Client does not allow users to create new network connections and it can not be configured to do so.
Public Authentication Profile
SSC allows for the creation of a public authentication profile. This profile is used by all users of the same computer. The public profile may require machine, user, or both machine and user authentication. Server validation can be required for a public profile.
Note
You can not create a public profile for the CTA 802.1x Wired Client.
Automatic User Connection is Configurable
After users log on to their computers, SSC can either be configured to automatically attempt to connect to the network or require the user to manually connect to the network. This is not configurable with the CTA 802.1x Wired Client. The CTA 802.1x Wired Client always attempts to connect to the network automatically.
User authentication occurs when SSC attempts to establish the connection to the network, whether automatically or manually.
A restart of the auto-connection process occurs after one of these events:
•
•
•
•
•
Pre-Windows-Logon User Authentication
SSC can be configured to delay performing Windows network logon until after 802.1x authentication is performed. This eliminates a race condition between 802.1x authentication and Windows networking tasks.
The CTA 802.1x Wired Client does not have this capability. In the case of CTA 802.1x Wired Client, 802.1x authentication and Windows networking tasks are attempted simultaneously.
Storage Options for User Credentials
When a user authentication profile requires users to be prompted for their username and password in order to log on to the network, SSC can be configured to save their credentials forever, for the current session, or for five minutes.
The CTA 802.1x Wired Client saves user credentials forever by default and can not be configured.
Configuring EAP-FAST Connection Settings
SSC provides these methods of configuring the EAP-FAST authentication session:
•
•
•
Enable Fast Reconnect
When SSC is configured to allow for fast reconnects, SSC responds to a re-authentication request using cached credentials. This applies to both outer and inner tunnel methods. CTA 802.1x Wired Client is not able to configure this aspect of EAP-FAST authentication.
Protect Client Certificate
When SSC or the CTA 802.1x Wired Client are configured to protect the client certificate, both supplicants refuse to send the certificate to the authentication server during Phase 1 of the authentication request because this phase of the EAP-FAST authentication is unprotected. Instead, both supplicants send the client certificate during Phase 2 of the EAP-FAST authentication. In Phase 2 of the EAP-FAST authentication, the client certificate is encrypted when sent through the inner tunnel.
Use Smartcard-based Client Certificates Only
When this feature is configured, SSC sends the authentication server only a client certificate from a smartcard. If you are performing machine authentication, this option is not allowed because a machine certificate must be obtained from the OS store. CTA 802.1x Wired Client is not able to configure this aspect of EAP-FAST authentication.
Installation Directories
The installation directories are different for SSC and CTA 802.1x Wired Client.
SSC is installed by default in this directory:
C:\Program Files\Cisco Systems\Cisco Secure Services ClientCTA 802.1x Wired Client is installed by default in this directory:
C:\Program Files\Cisco Systems\Cisco Trust Agent 802_1x Wired ClientLogging Tools
The System Report tool is available for both SSC and CTA 802.1x Wired Client.
For SSC, it can be reached by navigating Start > Programs > Cisco Secure Services Client > Cisco Secure Services Client System Report.
For the CTA 802.1x Wired Client, it can be reached by navigating Start > Programs > Cisco Trust Agent 802.1x Wired Client > Cisco Trust Agent 802.1x Wired Client System Report.
The System Report provides summary information about all the network adapters found on the computer, it identifies and collects authentication profile files, technical logs, and system logs. This information is stored in a zip file that is placed on the computer's desktop.
To use the System Report Tool, follow this procedure:
Step 1
Step 2
Step 3
Comparing SSC and CTA 802.1x Wired Client Supplicant User Interfaces
SSC and CTA 802.1x Wired Client supplicants each provide users with an interface to configure network connections but these interfaces are used for different purposes.
SSC can be configured to allow users to create and configure network connections from their computer using a GUI. These connection profiles are created only for use on an individual computer.
SSC administrators create connection profiles, called "deployment packages," by creating an XML file that follows the SSC distribution package schema. These deployment package files are compiled in SSC installation .msi files and distributed throughout an organization. When SSC is installed it is already configured with the attributes in the deployment package.
CTA 802.1x Wired Client users can not configure network connections for their computers using a GUI or any other method. CTA 802.1x Wired Client administrators create deployment packages using the deployment package wizard in the CTA 802.1x Wired Client. Those deployment packages can be distributed to all the users of their enterprise.
Though their purposes are different, SSC's GUI and CTA 802.1x Wired Client's deployment package wizard have many similarities. This section is intended to orient administrators who are already familiar with CTA 802.1x Wired Client's deployment package wizard with SSC's GUI interface as well as identify the XML elements in SSC's deployment package file that are equivalent to the settings in the user interfaces.
Note
SSC Wired and Wireless License Information
The configuration of the SSC that is obtained from the cisco.com SSC download page (the default client) is a fully licensed, non-expiring license, wired-only client. It supports EAP-FAST with EAP-MSCHAPv2, EAP-GTC and EAP-TLS (SmartCard credentials). By navigating Help > Activation, the user with the wired only license would see the dialog box in Figure 1-1.
Figure 1-1 Activate Product Features dialog for a wired-only license
If demonstration of the wireless functionality is desired, a 90-day trial license for this feature is available for download at the same site. Also added is support for additional authentication methods: LEAP, EAP-PEAP, EAP-TTLS and EAP-MD5. By navigating Help > Activation, the user with the wireless trial license would see the dialog box in Figure 1-2.
Figure 1-2 Activate Product Features dialog for wireless trial license
Configuring User and Machine Credentials
Figure 1-3 shows the location of where user credentials are set in the CTA 802.1x Wired Client and in SSC.
CTA 802.1x Wired Client administrators specify user authentication credentials in the Station Policy dialog box using radio buttons in the area numbered 1.
If their configuration of SSC permits, SSC users specify user authentication credentials in the SSC Network Profile dialog box. Clicking Modify in the area numbered 1 opens the SSC Network Authentication Dialog box. That is where user credentials can be defined as machine credentials and specify if user credentials are requested, or users are authenticated, with their Windows logon username and password.
CTA 802.1x Wired Client administrators configure "Machine authentication only" by checking Use Machine Credentials for User Credentials check box in area 1 of the CTA 802.1x Wired Client Station Policy dialog box and by checking Automatically establish machine connection in area numbered 2.
SSC users create a "Machine authentication only" profile by checking Automatically establish machine connection, in the area numbered 2 in the SSC Network Profile Dialog box, by clicking Modify, and by selecting the Use Machine Credentials radio button in the area numbered 1 in the Network Authentication Dialog box.
SSC administrators specify user and machine authentication credentials in the <authenticationNetwork> element of the deployment package XML file.
Figure 1-3 Location of User Credential Settings in User Interfaces
Configuring Client Authentication Settings
Figure 1-4 shows the client authentication settings in CTA 802.1x Wired Client and Figure 1-5 shows where these client authentication settings are found in SSC.
Figure 1-4 Client Authentication Settings in CTA 802.1x Wired Client
CTA 802.1x Wired Client administrators specify if users' username and domain are sent during Phase 1 of EAP-FAST authentication in the User Identity Protection area, labeled A. In the area labeled B, CTA 802.1x Wired Client administrators specify if the client certificate can be sent during Phase 1 of EAP-FAST authentication.
Figure 1-5 Client Authentication Settings in SSC
If their configuration of SSC permits, SSC users can specify if their username and domain are sent and if the client certificate is sent during Phase 1 of EAP-FAST authentication. Users start by clicking Modify in the Network Configuration Summary area of the Network Profile dialog box. This opens the Network Authentication dialog box. By turning on authentication methods, users specify if their connection profile allows the username and domain or "anonymous" to be sent during Phase 1 of EAP-FAST authentication. These fields are labeled A in Figure 1-5.
In either case, users can then specify EAP-FAST as the "outer method" or Phase 1 protocol by checking FAST. After clicking Configure, users specify if the client certificate is sent unprotected during Phase 1 of EAP-FAST authentication by checking or not checking Allow Unprotected Client Certificate; that field is labeled B in Figure 1-5.
SSC administrators specify if username and domain or "anonymous" are sent during Phase 1 of EAP-FAST authentication by configuring the <useAnonymousId> element associated with <machineAuthentication>, <userAuthentication> or <machineUserAuthentication> element in the XML deployment package file. Configuring the <protectClientCertificate> element determines whether or not the client certificate is sent to the authentication server during Phase 1 of EAP-FAST authentication.
Configuring Trusted Server Validation and Rules
CTA 802.1x Wired Client administrators configure trusted servers by selecting Always validate servers in the Trusted Server Validation area of the Station Policy dialog box. When the administrator clicks Next, the Trusted Server Policy dialog opens. Clicking Add Server Rule allows the administrator to create the rule to validate the server certificate. These dialog boxes are illustrated in Figure 1-6.
SSC users can create a connection profile using server validation rules if their distribution of SSC allows them to do so. Configuring trusted servers is done in two parts. One part is to create a trusted server rule as shown in Figure 1-7. The other part is to configure EAP-FAST authentication to require that a server be validated, this is shown in Figure 1-8.
SSC administrators configure the use of trusted servers in the deployment package XML file, in two steps. When configuring the <eapFAST> EAP Method, the <validateServerIdentity> element is set to true. Administrators specify server validation rules in the <validationRules> element and which certificates to trust using the <trustAnyrootCaFromOs/> and <trustedRootCaCerts> elements. These elements are children of the <serverValidation> element which is a child of the <authenticationNetwork> element.
Figure 1-6 CTA 802.1x Wired Client Configuring Trusted Server
Figure 1-7 SSC Create Trusted Server Rule
Figure 1-8 SSC Validate Server Certificate
Configuring Authentication Retry Settings
Some network access devices have the ability to open a port, but switch the user into a special vlan after a failed connection attempt. In order to support these access devices, the client provides the administrator with the capability of adjusting the number of connection retries before disconnecting.
Figure 1-9 CTA 802.1x Wired Client Authentication Retries Counters
CTA 802.1x Wired Client administrators specify the number of Interactive Authentication Retries and Non-interactive Authentication Retries in the Authentication Retries area of the Create Deployment Package dialog box. These fields are marked in Figure 1-9.
SSC users can not configure authentication retries settings when creating a local network connection profile.
SSC administers configure this setting using the <interactiveAuthenticationRetries> and <nonInteractiveAuthenticationRetries> elements which are children of the <machineUserAuthentication>, <userAuthentication>, or <machineAuthentication> elements.
