Cisco Secure Services Client 5.0 Q&A [Cisco Secure Services Client]

The following set of questions and answers provides some background information about the Cisco® Secure Services Client and its origins. In addition, under "Product Details," you will find in-depth information about the functions of the client and its interoperability with Cisco solutions.

Q. What is the Cisco Secure Services Client?

A. The Cisco Secure Services Client is client software that resides on the device to manage the user identity and create secure network connections. It is an endpoint security and management solution for deploying and managing identity-based network access control for enterprise networks. It provides IT managers with a Layer 2 security framework that uses an industry-standard 802.1X implementation for protecting endpoint devices. Cisco Secure Services Client works across platforms to provide a common authentication framework across wired and wireless networks. Table 1 lists some of the main features of Cisco Secure Services Client.

Table 1. Cisco Secure Services Client Product Specifications

Operating systems	Windows XP, Windows 2000
EAP protocols	EAP-Message Digest 5 (MD5), EAP-Transport Layer Security (TLS), EAP-Tunneled TLS (TTLS), Cisco LEAP, EAP-Flexible Authentication via Secure Tunneling (FAST), Protected Extensible Authentication Protocol (PEAP)
EAP-TTLS	Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MSCHAP), MSCHAPv2, EAP-MD5
EAP-PEAP	EAP-MSCHAPv2, EAP-TLS, and EAP-Generic Token Card (EAP-GTC)
Encryption support	WEP, WPA, WPA2, WPA-Pre-Shared Key (WPA-PSK), WPA2-PSK, Dynamic WEP (802.1X), AES, TKIP
Media support	Wired Ethernet 802.3 and Wi-Fi 802.11a, 802.11b, 802.11g
Switch interoperability	Any 802.1X-compatible Wi-Fi access point and wired Ethernet switch
Authentication, authorization, and accounting (AAA) interoperability	Supports standard RADIUS servers such as Cisco Secure Access Control Server (ACS) and Microsoft Internet Authentication Service (IAS)
Windows single sign-on (SSO)	Microsoft Active Directory machine and user authentication
Enterprise deployment	Export network profiles and lock user interface

Q. Why is the product called Cisco Secure Services Client?

A. The name Cisco Secure Services Client reflects two important aspects of the product: first, that it supports the industry-leading 802.1X standard for secure, extensible device authentication across wired and wireless networks; and second, that it delivers a range of services to the client based on the identity of the user and device. These services include:

• Authentication services: 802.1X

• Identity services for network admission: Cisco Trust Agent and Network Admission Control (NAC) for wired and wireless networks

• Encryption services for data and management: WPA and WPA2

• Cisco Compatible Extensions: Performance optimization, voice services, and location services (this will be implemented in a future version)

• Client management services: Automated client profile deployment (this will be implemented in a future version)

Q. What are the benefits of the Cisco Secure Services Client?

A. The Cisco Secure Services Client enables IT departments to design and implement an 802.1X-based security strategy that positions the endpoint device as a defensible and secure new perimeter for wired and wireless networks. As a result, IT managers can deploy identity-based network security that can simultaneously enforce machine and user authorization rights, protect the integrity of devices, and reduce security breaches to the corporate network. Furthermore, the solutions are designed to simplify and enforce wired Ethernet and Wi-Fi access control policies regardless of device, network, or authentication technology. Table 2 lists the main features and benefits of Cisco Secure Services Client.

Table 2. Cisco Secure Services Client Features and Benefits

Feature	Function	Benefit
Enterprise deployment mechanism	Ability for IT administrators to deploy user profiles throughout the entire enterprise through a single Extensible Markup Language (XML) file	Offers significant time and cost savings by alleviating the need for administrators to deploy the client on each desktop
Unified wired and wireless network client	Integration of wired Ethernet and Wi FI security	Reduces the number of endpoint clients, simplifying IT administration
Support for industry standards	IEEE, IETF, Wi-Fi Alliance, and Cisco Compatible Extensions	Provides better assurance for support across a wide array of network adapters and solutions
Endpoint integrity	Enforcement of quarantine and remediation of noncompliant devices	Minimizes chances for host PCs to be compromised by rogue software that could infect other devices on the network
SSO capability	Support for Microsoft Active Directory SSO	Reduces complexity for end users, in turn decreasing operating expenses for IT departments
Simple user interface	Interface enhancements, including a convenient "two-click connect" to office, home, and public networks. The client also provides a connection status indicator for network name, strength, connection status, and IP address	Allows end users to connect to the network more easily and eliminates the security concerns of connecting to any open SSID.
Enabling of group policies	Ability to apply network enforcement based on identity groups (dynamic VLAN assignment, downloadable access control lists [ACLs], and so on)	Provides ability to restrict user access to networked resources in addition to admission control.
Administrative control	Ability to selectively define and restrict certain security profiles and policies	Provides centralized provisioning and enforcement of endpoint security policies, while still enabling user-defined hotspots and home profiles.

Additional customer benefits of the Cisco Secure Services Client include:

• Support for the Cisco EAP-FAST protocol as part of NAC

• Wired and wireless LAN connections, supporting WPA2 for wireless access

• Configurable network profiles and deployment tools to streamline network access

• Network access policy enforcement of server and client certificates

• Simple and flexible user interface

• Interoperability with existing authentication, authorization, and accounting (AAA) and RADIUS servers to eliminate costly upgrades

• Support for Cisco Compatible Extensions Version 4.0

• Built-in nonexpiring license that supports a basic wired-only feature set

• Free 90-day full wired and wireless trial licenses

Q. How does the Cisco Secure Services Client interoperate with other Cisco clients?

A. The Cisco Secure Services Client represents Cisco's move toward delivering an end-to-end solution for enterprise client security. Prior to the introduction of the Cisco Secure Services Client, Cisco bundled an original equipment manufacturer (OEM) 802.1X supplicant as part of the Cisco Trust Agent, which was designed for wired-only NAC deployments. The Cisco Secure Services Client allows Cisco to deliver a full-featured supplicant for wired and wireless networks. The Cisco Secure Services Client 802.1X software supplicant is an excellent complement to the Cisco Secure ACS RADIUS server and offers customers greater ease of security management for both wired and wireless security policies. Finally, the Cisco Secure Services Client expands the work that Cisco has been doing with the Cisco Compatible Extensions program to bring more uniform 802.1X support to a broader range of client devices. Table 3 compares Cisco Secure Services Client with Cisco Trust Agent, Cisco Compatible Extensions clients, and Cisco Aironet® Desktop Utility.

Table 3. Cisco Client Comparison

	Cisco Trust Agent Client (with bundled OEM supplicant)	Cisco Compatible Extensions Clients	Cisco Aironet Desktop Utility	Cisco Secure Services Client
Network interfaces supported	Wired only	Wireless only	Wireless only	Both wired and wireless
802.1X supplicant	Limited EAP, OS, and GUI support	Limited; often inconsistent among vendors	Limited to Cisco client adapters	Complete
Centralized management of security profiles	No	No	No	Yes
User and IT experience	Limited troubleshooting and management	Variable implementations, depending on device manufacturer	Limited to Cisco client adapters	Consistent across all adapters
NAC support	Yes (wired only)	Varies	No	Yes (both wired and wireless)
Retail costs	Free	Free (bundled in with product)	Free with Cisco client adapters	Per-seat cost

Q. Is the Cisco Secure Services Client supported by the Cisco Secure ACS?

A. Yes. The Cisco Secure Services Client is fully supported by the Cisco Secure ACS platform. The combination of the client supplicant and back-end authentication server provides customers with a comprehensive solution for robust client authentication across wired and wireless networks.

Q. How does the Cisco Secure Services Client work with the Cisco Unified Wireless Network?

A. The Cisco Secure Services Client allows enterprises to securely authenticate a variety of client devices to the wired and wireless network. The supplicant is fully supported by the Cisco Unified Wireless Network and works with the existing Cisco portfolio of access points and wireless LAN controllers.

Q. How does the Cisco Secure Services Client affect existing NAC strategies?

A. The Cisco Secure Services Client enhances the NAC framework by offering a unified wired and wireless 802.1X client for those customers who have chosen 802.1X as their admission control technology.

Q. Is the Cisco Secure Services Client supported by the Cisco NAC appliance?

A. Currently, the Cisco Secure Services Client is not supported by the appliance-based NAC offering. As Cisco moves to an integrated framework and appliance solution set of offerings, the Cisco Secure Services Client will offer customers a choice of client and authentication types to fit their operational requirements.

Q. Will the Cisco Secure Services Client become a part of the Trusted Computing Group (TCG) and Trusted Network Connect (TNC) working groups?

A. Cisco currently has no plans to join the TCG or TNC working groups. Cisco believes that the protocols required for endpoint integrity should be developed under the IETF, where other Internet protocols are standardized. Cisco is working with the members of TNC at the IETF to further advance the interest in standardizing the protocols for endpoint integrity.

Q. What is the part number of the Cisco Secure Services Client Version 5.0, and how can I order it?

A. The Cisco Secure Services Client is available on the Cisco Global Price List and can be ordered as a standard Cisco product. Use the following part number to place an order: AIR SC5.0-XP2K.

Product Details

Q. How has the client graphical user interface changed in the Cisco Secure Services Client 5.0?

A. The user interface has changed to provide a better user experience. The interface provides a convenient "two-click connect" to office, home, and public wired and wireless networks. This allows end users to connect to the network more easily and eliminates the security concerns of connecting to an open (public) wireless network. The user interface also provides a comprehensive range of features and is accessible by right-clicking the taskbar icon or using the desktop icon. End users can view the connection status indicator for network name, strength, connection status, and IP address.

Q. What is the Enterprise Deployment feature?

A. With the new Enterprise Deployment feature that is available in Cisco Secure Services Client 5.0, IT administrators can configure and deploy user profiles through a single XML file or the Cisco supplied management utility, a wizard that steps the IT administrator through the policy and configuration settings for users, devices, and networks. This reduces the time and cost required to deploy and set up the client on end-user systems.

Q. Can the Cisco Secure Services Client hold multiple network profiles-for example, for use both at home and at work?

A. Yes, the Cisco Secure Services Client supports unlimited profiles for home, work, travel, or other locations.

Q. Can the Cisco Secure Services Client connect to open access points as well as secured access points?

A. Yes, the Cisco Secure Services Client can be configured to support open access points as well as secured ones.

Q. Does the Cisco Secure Services Client support WPA and WPA2?

A. Yes, Cisco Secure Services Client Version 5.0 is fully compliant with the Wi-Fi Alliance's WPA and WPA2 encryption standards.

Q. Is the Cisco Secure Services Client compatible with consumer-grade access points? Can I use WPA-PSK or WPA2-PSK to secure my home network?

A. Yes, the Cisco Secure Services Client 5.0 is compatible with Wi-Fi-Certified home networking equipment. Cisco recommends that users configure their equipment to use WPA-PSK or WPA2-PSK to ensure their privacy.

Q. What EAP authentication methods does the Cisco Secure Services Client support?

A. It supports EAP MD5, EAP MSCHAPv2, EAP TLS, EAP-FAST, EAP- GTC, Cisco LEAP, PEAP, and EAP TTLS.

Q. What encryption methods does the Cisco Secure Services Client support?

A. It supports WEP, Dynamic WEP (802.1X), WPA, WPA2, AES, TKIP, WPA-PSK, and WPA2 PSK.

Q. What operating systems does the Cisco Secure Services Client 5.0 support?

A. It supports Windows 2000 and Windows XP.

Q. What features are available in the nonexpiring, wired-only version of the Cisco Secure Services Client?

A. The following features are available in the nonexpiring, wired-only license:

• EAP methods

– EAP MSCHAPv2

– EAP TLS

– FAST

– GTC

• Smartcard support

• RSA SecureID support

• Wired adapters

• Support for standard RADIUS servers such as Cisco Secure ACS

• Central deployment of Microsoft Active Directory machine or use group policies

Q. Are there plans to support additional operating systems?

A. Yes. The Cisco Secure Services Client roadmap includes major operating system support for enterprise wired and wireless devices to provide consistent and uniform endpoint security and administration across different devices, including desktops, laptops, servers, wireless phones, handheld devices, and so on.

Q. What smartcards and readers does the Cisco Secure Services Client support?

A. Table 4 lists supported smartcard readers and smartcards.

Table 4. Smartcard Readers and Smartcards Supported by Cisco Secure Services Client

Smartcard Readers	Smartcards
Smartcard Readers	Cryptoflex 8K	Cryptoflex 32K	Raak
Axalto Reflex 20 v3 (PCMCIA reader)	Yes	Yes	No
Axalto Reflex 72 v2 (serial port)	Yes	Yes	No
Axalto Reflex USB v3 (USB)	Yes	Yes	No
Axalto Reflex USB v2 (USB)	Yes	Yes	No
Schlumberger/Raak egate reader (USB)	No	No	Yes
Aladdin eToken Pro 32K¹	No	No	No
Gemplus Cryptoflex 32/64k	Yes	Yes	No
Gemplus Cyberflex 32/64k	Yes	Yes	No

¹Aladdin eToken Pro 32K is an integrated reader and card and thus does not work with other smartcards

Q. Does the Cisco Secure Services Client allow the wireless adapter radio to be turned off and on?

A. Yes. However, not all wireless cards support the mechanism used to control power on the card, so it will not work with all devices. It should be noted that turning the adapter radio off puts the adapter in standby mode and standby mode is not the same as disabling or uninstalling the adapter.

Q. Can both device and user group policy object (GPO) functions be used with the Cisco Secure Services Client?

A. Yes. Both device and user GPOs are supported.

Q. Can different authentication methods be used for device and user authentication?

A. Separate authentication methods can be used for machine and user authentication. This function is under the control of the RADIUS server. For this reason, at present you need to use a RADIUS server, such as Cisco Secure ACS, that can filter on the host and identity prefixes sent during device authentication. Because the server will then know that the authentication is for a device, it can be configured to use the desired method.

Q. Is the Cisco Secure Services Client interoperable with Cisco LAN switches?

A. The Cisco Secure Services Client is interoperable with any Cisco LAN switch that supports the IEEE 802.1X protocol for authentication.

Q. Does the Cisco Secure Services Client allow network administrators to define a "work" network for end users that is locked, but that still allows them to create their own network access profiles?

A. Yes, by using the deployment wizard to create a set of deployment files. By selecting Configurable Client as the Client Type on the Station Policy, end users can define their own networks. Administrators can control the types of networks that the end user defines using the Network Policy, Wi-Fi Policy, and Authentication Policy categories. During the deployment, administrators define the "work" network and copy these files to the end users' workstations. As part of the client deployment, the access profile entitled "work" is automatically locked, and end users cannot modify them. Additionally, end users can create new networks within the policy boundaries set by the administrator.

For More Information

For more information about Cisco Secure Services Client, visit: http://www.cisco.com/en/US/products/ps7034/index.html or contact your local Cisco account representative.

For more information about the Cisco Unified Wireless Network framework, visit: http://www.cisco.com/go/unifiedwireless

For more information about the wireless LAN security solution for large enterprises, visit: http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns386/networking_solutions_package.html

For more information about the Cisco Self-Defending Network, visit: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutions_package.html

For more information about Network Admission Control, visit: http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html

For more information about the Cisco Secure Access Control Server for Windows, visit: http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html

For more information about Cisco Wireless LAN Services, visit: http://www.cisco.com/go/wirelesslanservices

The Cisco Secure Services Client includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://openssl.org).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Cisco Secure Services Client complies with OpenSSL and SSLeay license requirements. (http://www.openssl.org/source/license.html)

Hierarchical Navigation

Cisco Secure Services Client

Cisco Secure Services Client 5.0 Q&A

Downloads