Table Of Contents
Data Sheet
Overview
New Features in Cisco Secure URT v2.5
Features and Benefits
Applications
Ordering Information
System Requirements
For More Information
Documentation
Contacts
Data Sheet
Cisco Secure User Registration Tool Version 2.5
Cisco Secure User Registration Tool (URT) Version 2.5 actively identifies users within the network and creates user-registration-policy bindings for policy registration, mobility, and tracking. Cisco Secure URT v2.5 introduces an extensible Web front-end client and Remote Access Dial-In User Service (RADIUS)-based back-end infrastructure, making the product appealing to an extended range of customer network sizes and applications.
Overview
Cisco Secure URT v2.5 is an important piece of the Cisco next-generation identity-management-solution suite. Cisco Secure URT is a virtual LAN (VLAN) assignment service that provides LAN security by actively identifying and authenticating users and then associating them only to the specific network services and resources they need through dynamic VLAN assignments to Cisco Catalyst® Switch networks. URT v2.5 introduces many innovative features, including a Web-based logon from Windows, Macintosh, and Linux clients, RADIUS and Lightweight Directory Access Protocol (LDAP) authentication, and a secure link between the client and the VLAN Policy Server (VPS). It also includes a security feature based on the Media Access Control (MAC) address that prevents users from accessing the network if they are not using authorized machines.
Cisco Secure URT assigns VLAN-based policies to switch ports based on user authentication to existing Microsoft Windows NT, Active Directory, Novell Netware Directory Services (NDS) or RADIUS directories. VLAN policies are applied via Cisco VPS servers, which, when distributed throughout the network, provide better login load sharing and greater availability to the network. Unless a user provides a valid username and password to the authentication server, that user will remain in a "logon VLAN" with no access to the corporate or service provider network. Because URT uses existing user-authentication mechanisms, policies are applied transparently to users and are easily deployed in any existing network.
Cisco Secure URT intelligently monitors and manages user identification, locations, and network access times. It detects when a user is authenticated and places that user into the appropriate VLAN based on policies that are preassigned through the URT administrative interface. Cisco Secure URT also prevents unauthorized access to protected VLANs and subnets by disallowing access to unauthorized users. This protection is accomplished through a user registration process (started at user login) that can result in logically blocking connection to the protected VLAN or subnet if the attached user is not authorized for access.
The Cisco Secure URT architecture consists of the following components (Figure 1):
Cisco Secure URT v2.5 Components and Architecture
•
URT Administrator Server—Main component of Cisco Secure URT Solution. The Cisco Secure URT Administrator Server operates as a central collection point for events and log information sent from all VPSs under its control.
•URT Management Interface—Assigns VLANs to users, groups, organizational units or MAC addresses and also establishes Windows NT, AD, NDS, and RADIUS domains, associations.
•URT VPS—Runs on an external one-rack-unit-high appliance and is responsible for setting a client's switch port based on the login user name, group name, organizational unit, or MAC address. It is also used for authenticating and assigning VLANs to Web users.
•URT Client Module—The Client module Logon script is pushed from the URT Administrator Server to the Windows NT/NDS domain controllers, and it is automatically installed on the traditional client machine to enable user authentication.
•URT Web Client Module—The Web client module is invoked automatically from the user's Netscape or Microsoft Internet Explorer Web browser and performs the same functionality as the URT Client Module. It is downloaded in a signed Java Archive (JAR) file using a Web applet. This application is used to prompt for a user ID, password, and user authentication domain.
With a Web-based secure logon from a Windows, Macintosh, or Linux client, the user logs in to the VPS for authentication without having to download any application on the desktop. Cisco Secure URT provides authentication through any standard RADIUS server such as a Cisco Secure Access Control Server (ACS).
New Features in Cisco Secure URT v2.5
Cisco Secure URT v2.5 introduces the following features:
•Web Client Logon Interface—URT v2.5 supports Web-based authentication for Windows, Macintosh, and Linux client platforms. When users launch a Web browser, they are automatically redirected to the URT logon Web page (Figure 2) until they are successfully authenticated and switched to the user-assigned VLAN. Users will be given the choice to authenticate to any LDAP or RADIUS domains that are preprovisioned in the URT Administration Tool. The URT Administrator can also choose to customize the logon Web page to post any advertising or announcement messages.
Default Web Login Window
•MAC-Based Security Option—The MAC-based security option provides extended security to protect user access to the logon VLAN from unregistered PCs. This feature is particularly important for customers who do not want to expose their logon VLANs to unrecognizable MAC addresses. It allows administrators to control users' access from registered PCs only and thereby reduce the spread of viruses and attacks from infected or non-controlled PCs. When this option is enabled, two options are presented: switching the port to a provisionable "Security Violation VLAN" with limited access capabilities, or shutting down the switch port.
•RADIUS Authentication and Accounting Support—In Cisco Secure URT v2.5, RADIUS authentication is offered for Web logon. RADIUS accounting is also supported once a user is successfully authenticated via RADIUS server.
Cisco Secure URT v2.5 was tested with the Cisco Secure Access Control Server (ACS). Please refer to "Configuring RADIUS Server for URT" white paper, at http://www.cisco.com/go/urt for more information.
. Secure Link Between Cisco Secure URT Client and VPS Server—Security authentication and data encryption have been added to URT v2.5 to enable a more secure connection from the user. The protocol between the Cisco Secure URT Client Module and the VPS is secured to protect user access against unwanted intrusion or malicious attacks.
•LDAP Support (Active Directory and NDS directories)—Cisco Secure URT v2.5 supports Windows' Active Directory and Novell's NDS LDAP servers. Through the Cisco Secure URT Administrator Server, the users, groups, or organizational unit trees are retrieved using LDAP.
•Multiple Users Per Port—Previous versions of Cisco Secure URT support only a single user logon on a single port. If more than one MAC address is detected on a port the port will be moved back to the logon VLAN. URT v2.5 has an option to allow multiple users connected to a hub served by single switch port. The URT Administrator can allow only one user per port or multiple users per port based upon the logged-in user ID.
•Display of Windows NT Groups—The URT Administrator interface is enhanced to display the users belonging to a Windows NT group. By displaying the users for a group, the administrator can now select the group, get a list of users for that group and then assign a VLAN to a group or a user within a group (Figure 6).
Group/User Display in the Administrator Server
•MAC Address Events History—Previous version of URT only reported user-based logon/logoff history events. With URT v2.5 MAC-address-based logon/logoff events are added as an option and reported to the history events tool on the URT Administrator Server.
Features and Benefits
Table 1 outlines the benefits of Cisco Secure URT v2.5.
Table 1 Features and Benefits of Cisco Secure URT v2.5
Features
|
Benefits
|
Controls LAN access through Web-based user login
|
•Access control at the network edge
•Complements dialup access security
|
Works on any LAN port
|
•User mobility
|
Is transparent to end users
|
•Lower cost of installation
•Lower cost of ownership
|
Binds Windows NT primary domain controller (PDC), Active Directory, NDS, and RADIUS users to a VLAN
|
•Uses existing security servers
•Separates user communities
|
Allows configuration by organizational unit, user group, user, or MAC address
|
•Provides scalable user management
|
Works from a Windows, Macintosh, or Linux Web client operating system
|
•Uses most common operating systems
|
Connects to RADIUS servers
|
•Adds an authentication, authorization, and accounting (AAA) mechanism through IETF- compliant RADIUS servers
|
Complements DHCP server
|
•Improves user management
|
Provides redundant policy servers
|
•Increases availability
|
Provides centralized administration of policy servers
|
•Lowers cost of ownership
|
Supports audit trace
|
•Increases security audit
|
Supports import of initial configuration from CiscoWorks
|
•Lowers cost of installation
•Uses existing Cisco network management applications
|
Applications
Network security becomes critical as organizations continue to increasingly use the Internet for e-commerce and extranets. Most organizations have deployed authentication tools at the edge of the network to improve security and to control user access to the network. To minimize costs and ensure consistent, robust security, organizations need to manage these secure networks and their associated services with a controlled user access that is scalable and mobile.
Cisco Secure URT supports the diverse requirements of Cisco customers from small and midsize businesses to large enterprises building corporate intranets and service providers. Cisco Secure URT architecture and secure remote management capabilities enable deployment in a multitude of environments and provide significant flexibility to customers. Cisco Secure URT plays an increasingly important role in midsize-to-large enterprises, enabling them to protect network access points such as conference rooms, shared offices, and other areas common to visitors and vendors. These users might only need to access the Internet and should not be given access to the entire corporate network. However, regular employees should be granted the same privileges as if they were accessing the network from their own offices.
Ordering Information
Cisco Secure URT v2.5 is available in the following three packages (Table 2). For part numbers, refer to the Cisco Secure URT v2.5 Product Bulletin.
Table 2 Cisco Secure URT v2.5 Packages
URT v2.5 Packages
|
Descriptions
|
Cisco Secure URT v2.5 Starter Package
|
Includes one VPS appliance and 1 Cisco Secure URT v2.5 application software license
|
Cisco Secure URT v2.5 Upgrade Kit
|
Includes software necessary to upgrade from Cisco Secure URT v2.0 to v2.5 (available through Cisco.com download only)
|
Standalone Cisco Secure URT VPS Appliance
|
Used in distributed or redundant network deployments; Cisco recommends that you combine at least one unit with the Cisco Secure URT v2.5 Starter Package if using the Web Logon feature
|
System Requirements
Table 3 summarizes the minimum system requirements and compatibility for Cisco Secure URT v2.5.
URT Admin Server:
•Windows 2000 server SP4
•Windows XP Professional SP1
•Windows Server 2003 (Standard Edition)
•Min H/W (Pentium III, 512MB DRAM, 64 MB of disk space)
URT VPS:
•Cisco VLAN Policy Server 1101
•Cisco VLAN Policy Server 1102
Browsers for Web Logon:
•Netscape version 6.2 and 7.0
•IE version 5.5 (SP2) or 6.0 (SP1)
Client OS:
•Windows 98 SE, Windows NT4 Workstation/Server (SP6), Windows 2000 Professional/server (SP4), Windows XP Professional (SP1), Windows XP (SP1) Home (Web Client Only), Mac OS 10.1 (Web client only), Linux Redhat (7.1)/ SuSE (7.2)/ Mandrake (7.2)/ VA (6.2) (Web Client only)
•Min H/W for Web client (Pentium II, 64MB DRAM, 1 MB of disk space)
•Min H/W for traditional client (Pentium II, 64MB DRAM, 1MB of disk space)
For More Information
Documentation
For more information on Cisco Secure URT 2.5, including the user guide, supported devices, release notes, and supported OS service packs, visit http://www.cisco.com/go/urt.
Contacts
For specific product functionality or technical questions, send e-mail to the Cisco Secure URT product marketing group at URT-MKT@cisco.com
For questions or product ordering, availability, and support contract information, send e-mail to ciscoworks@cisco.com
http://www.cisco.com/pcgi-bin/ibld/view.pl?i=support&m=GUEST
Or send an e-mail to Enterprise Management at ENM-MKT@cisco.com
