Cisco Secure User Registration Tool

Q&A

Cisco Secure User Registration Tool Version 2.5

Q. What is the Cisco Secure User Registration Tool (URT)?

A. Cisco Secure URT is a security product from Cisco Systems that controls user access to the LAN for wired hosts. Control is enforced through user authentication to existing login servers such as Microsoft Windows NT, Windows Active Directory (AD), Novell Netware Directory Services (NDS), or Remote Access Dial-In User Service (RADIUS).

Q. How Does URT Work?

A. URT detects when a user is authenticated and places that user into the appropriate VLAN based on policies that are preassigned through the URT administrative interface. As a result, LAN user traffic is partitioned through VLAN port assignments based on a user's identity. If users are not authenticated correctly, their access port is placed into a limited service VLAN. With URT, RJ-45 wall jacks are no longer penetration threats to corporate networks.

Q. What are the value-added benefits of Cisco Secure URT v2.5?

A. URT v2.5 responds to the needs of user/device LAN registration such as dynamic VLAN assignments, Web-based authentication, Layer 2 port isolation on access switches, and user monitoring and tracking. The URT takes full advantage of the switching infrastructure by restricting data traffic until a user has been properly authenticated at the access switch. With a Web-based secure logon from Windows, Macintosh, or Linux clients and a RADIUS-based back-end infrastructure, Cisco Secure URT is an attractive solution to a large range of customer network sizes and applications.

Q. What new features are supported in Cisco Secure URT Version 2.5?

A. Cisco Secure URT v2.5 introduces many features, including:

Q. What are the components of a Cisco Secure URT solution?

A. Cisco Secure URT v2.5 consists of the following components:

Q. What subsequent events take place during a Web-based logon session, and how are they different from client logons in previous version of URT (version 2)?

A. For URT v2.0 client logons are often referred in URT user documentation as traditional client logon. With traditional logon, a user is first authenticated through the domain controller. Upon authentication, the logon script is executed and the user sends logon packets to the VPS, which in turn looks up a predetermined VLAN assignment. The switch then receives the VLAN assignment request from the VPS and switches the user to the appropriate VLAN. The logon script on the PC then initiates a DHCP release/renew and is ready to go.

For Web client logon, the process is slightly different. The user opens a browser, and the Web logon page is displayed in the browser. The user is then given the choice to authenticate to any LDAP (Active Directory or NDS), or RADIUS domains that are preprovisioned in the URT Administration Tool. The logon request is sent to the VPS, which in turn acts as a RADIUS or LDAP proxy for the Web logon process. Upon receiving the logon response, the user sends a logon acknowledgment to the VPS, which sends a VLAN Query Protocol (VQP) request to the switch for switching the user to the appropriate VLAN. Finally, the client software on the PC initiates a DHCP release/renew.

Q. What is the Cisco Secure URT Web Client Module?

A. The Web Client Module is new to Cisco Secure URT v2.5. It is invoked in a user's Netscape or Microsoft Internet Explorer Web browser. The module will perform a similar functionality as the URT Client Module. The program is downloaded using a signed Web applet.The applet will be run in the Java plug-in on the supported browsers for Linux and Macintosh platforms. If the supported plug-in is not installed, the user will be asked to download the correct version from the VPS. For Windows the plug-in will not be required because a natively compiled executable will be used

Q. Does Cisco Secure URT v2.5 still support Windows Domain and NDS logons?

A. Yes. URT v2.5 will continue to support Windows Domain and NDS logons.

Q. What modifications are required for servers to work with Cisco Secure URT?

A. For traditional clients, a URT logon script will be installed on the domain controller (as is the case in Cisco Secure URT v2.0). For Web clients, the DHCP server needs to be provisioned with the primary and secondary VPS Domain Name System (DNS) to allow users to get the Web logon window after opening their browsers.

Q. Can multiple RADIUS servers be assigned to one RADIUS domain in the Administrator Server?

A. Yes. For failover/redundancy design, the URT Administrator can chose a RADIUS name and use that in the Domain Name field when adding multiple RADIUS servers. In the logon window, if a user specifies this RADIUS domain, it tries to log the user in to all RADIUS servers belonging to that domain.

Q. What are the benefits of the enhanced security features that are added in Cisco Secure URT v2.5?

A. Encryption and authentication are added between URT desktop clients and the URT VPS to protect against unwanted intrusion.

Q. What types of LDAP authentication servers are supported with Cisco Secure URT v2.5?

A. Cisco Secure URT v2.5 supports both Active Directory and NDS LDAP servers. Through the URT Administrator Server, the user, group, or organizational unit tree is retrieved using LDAP.

Q. Can URT support authentication to a generic LDAP directory?

A. Yes. Cisco Secure URT v2.5 can support authentication to a generic LDAP directory (like iPlanet) through Cisco Secure Access Control Server (ACS). ACS supports today a wide array of user databases including: generic LDAP, ODBC, SQL, Novell, NT Domains, and proxied RADIUS servers.

Q. Can URT support One Time Passwords (OTP) authentication?

A. Yes. Cisco Secure URT v2.5 can support OTP authentication through Cisco Secure Access Control Server (ACS). ACS supports today a wide array of OTP servers including: RSA/ACE, SecureComputing SafeWord Token, CRYPTOCard Token (to name a few).

Q. What is the purpose of the MAC security feature?

A. Cisco Secure URT v2.5 adds an additional layer of system-based authentication by controlling MAC addresses. This feature provides an option for customers to protect user access to the logon VLAN by restricting access to unregistered PCs and hence reducing the risks of attacks. Unregistered PCs will be placed in a customizable "Security Violation VLAN" with limited access to internal resources.

Q. Can Cisco Secure URT v2.5 work with mixed Active Directory, NDS, and NT domains?

A. Yes. Customers can administer multiple Active Directory, NDS, or NT users or groups from the URT Administration Tool.

Q. Does Cisco Secure URT support multiple users or devices per port?

A. Yes. Previous versions of Cisco Secure URT only support a single user system on a single port. Cisco Secure URT v2.5 has the option to allow multiple users connected to a hub that is served by a single switch port. The URT Administrator has the option to allow one user per port or multiple users per port based upon the logged-in user ID.

Q. Can multiple users on the same port be assigned to different VLANs?

A. No. All users are assigned to the same VLAN of the first logged-on user on that port.

Q. Can Cisco Secure URT support a host connected to a Cisco voice-over-IP (VoIP) phone data port?

A. Yes. When Cisco VoIP phones are configured in an auxiliary VLAN, URT continues to function as if the host is connected directly to a switch port. The auxiliary VLAN (sometimes referred as the voice VLAN) feature is required on the Cisco Catalyst switch to provide this support. This is supported today on the Cisco Catalyst 6000, 2950, and 3550 series switches.

Q. Why should I buy Cisco Secure URT when the VLAN Membership Policy Server (VMPS) server already exists in my switch?

A. The switch-based VMPS server only control VLAN assignments based on MAC addresses. URT lets you control user authentication. Cisco Secure URT extends the functionality of the switch-based VMPS server, transforming it from a Layer 2 MAC-to-VLAN mapping solution to a Layer 7 application-based solution that is built on user-to- VLAN mapping. URT also scales better by consolidating and centralizing this management control service in one administrative interface (VMPS requires configuration of VLAN mappings in every single switch). Moreover, URT offloads the VMPS server functionality from the Cisco Catalyst switches and places it on a dedicated appliance with backup capabilities. Overall, this setup offers a greater degree of sophistication, better fault tolerance, and tighter integration with login servers.

Q. What are the value-added benefits of Cisco Secure URT to a campus Layer 2 environment?

A. Cisco Secure URT brings many benefits to a typical campus environment. It complements dynamic port mapping on Cisco access switches (Cisco Catalyst 2950 and 3550 switches) for supporting remote branch access, frequent reorganizations and common/shared area protection in enterprise environments. URT also allows the VPS servers to be distributed across the network for higher scalability and redundancy protection. Lastly, the URT serves as a central user and MAC-based registration collection point for tracking and monitoring purposes.

Q. Does Cisco Secure URT support IEEE 802.1x based authentication?

A. No. URT v2.5 does not support IEEE 802.1x based authentication, however, it provides many advantages over 802.1x authentication today, namely the removal of 802.1x client dependency. Today, Cisco Secure ACS v3.X supports 802.1x and together with URT provide a complete AAA LAN registration solution for both wired and wireless LAN access over an extended range of client OS types.

Q. Q. What are the current port security benefits of URT compared to an existing 802.1X based solution?

A. Cisco Secure URT version 2.5 presents important benefits compared to an existing 802.1X based solution, mainly:

Design Guidelines

Q. How many users can a VPS support?

A. A single VPS supports 3500 to 5000 users or ports, depending on the frequency of user logins. Refer to the Cisco Secure URT v2.5 Design Guide for details.

Q. What are the deployment and design rules for VPS?

A. For Web logons Cisco recommends that you have a dedicated VPS that acts as a Web server. For a high number of Web users, a Cisco LocalDirector can be inserted for load balancing between the three switch-assigned VPS Web servers. Load balancing for the user-access side can be achieved by sharing a VPS with multiple switches (acting as primary for one switch and secondary for another switch) and hence designing for redundancy in case of a VPS failover. For example, in a single campus with 10,000 ports, the minimum URT configuration would require three VPSs using an N+1 redundancy rule. Half of the switches should have a different primary server, and all switches would share the third VPS as a secondary server. Additional VPSs should be configured based on the VLAN configuration and the geographical locations of users to avoid running VLANs across the core backbone.

Q. How does VPS failover work?

A. A single switch could be assigned to as many as three VPS servers: one primary and two secondary servers. In normal operation, a "keep alive" communication exists between a primary VPS and a secondary VPS. When the primary VPS goes down, the secondary VPS takes over, and the switch downloads all its VLAN information to the secondary VPS. When the primary VPS comes live again, the switch recognizes this event (in a 5-minute window) and reverts its association to the primary VPS.

Q. How does the URT Administrator Server carry on the group refreshes with its domain controllers associations?

A. During a group refresh, the URT Administrator Server checks the domain controllers in the order you prespecify while configuring them in the Administrator Server. If the first one in the list is unavailable (by default, this is the primary domain controller [PDC]), it checks the next one on the list (backup domain controller), and so on. URT also allows the option to delete a domain controller in the "Group Refresh Order" dialog button. This allows the URT to refresh and push the logon script to only the domain controllers specified in the provisioned list. This feature allows multiple URT Administrator servers to manage the same NT domain, each serving a different set of domain controllers. Caution should be used when deleting a domain controller because it can have a major impact if this feature is not used appropriately.

Q. What happens when the URT Administrator Server crashes?

A. URT continues normal operation, with the failure unnoticed by end users. However, auto-install and upgrade of URT client modules will no longer work for only traditional clients. Web logon users, on the other hand, are not affected. In both cases, when the URT Administrator Server is down, the VPS server stores the logon and logoff events (from the switches and users) locally in disk, and once the Administrator Server comes back up, the VPS sends the stored events back to the Administrator Server.

Q. If a logged-on user disconnects a laptop in an office and reconnects in a conference room, are they required to log in again?

A. No. The user does not have to log in again.

Q. Is the transfer of RADIUS accounting records stopped if a user pulls out a cable connection by accident?

A. In such a scenario, accounting records are sent to RADIUS after the connection cable is pulled out. Accounting records are then reinstated after the user reconnects again locally or into another switch port.

Q. Does a logged-on user who has their VLAN attribute changed in Cisco Secure URT get assigned to a new VLAN without logging on again?

A. Yes. URT switches the user to a new VLAN assignment within 5 minutes when using NT, Active Directory, or NDS. For a RADIUS user, this interval is set by default to 60 minutes but can be changed in 5-minute increments through the RADIUS Client Verify Attributes settings in the URT Administration Tool.

Q. What happens when a logged-on client's browser crashes?

A. A browser crash should not affect a logged-on user.

Q. How does the Web client get to the Web logon page?

A. In the logon VLAN when a Web client connects to the switch, a DHCP release/renew occurs. One of the attributes in the received DHCP packet is the IP address of the DNS server native to the URT VPS. When the Web browser is launched, the Web client will automatically be directed to the Cisco Secure URT logon authentication page that is downloaded from the VPS.

Q. Can the Cisco Secure URT logon page be secured through Secure Socket Layer (SSL)?

A. No. With Cisco Secure URT v2.5, a new encryption key exchange security mechanism has been instituted to secure communication between the URT Web client and the VPS during client logon.

Q. Does Cisco Secure URT support native Internetwork Packet Exchange (IPX) clients?

A. No. URT supports Novell clients that use TCP/IP for transport.

Q. Can an Active Directory imported as an LDAP server in Cisco Secure URT be used for both traditional and Web client authentication?

A. Yes. If an Active Directory server is imported as an LDAP server in the Administration Tool, it could be configured to support both traditional clients as well as Web clients. The tool defaults to a "Web clients only" setting, but a checkbox in the GUI allows the LDAP server to work for both types of clients.

Q. How do I provision my switches to work in a VTP domain recognizable by Cisco Secure URT?

A. The access switches that would be part of the URT network environment should be configured for VTP client or server switch modes to work with URT. However, the core or distribution switches that connect to a switch or router that does not support Layer 2 protocols like VTP should be configured for VTP transparent mode with IP inter-VLAN routing enabled.

Q. Can one VLAN ID in a Cisco Secure URT database contain more than one IP subnet?

A. Yes. You can enter multiple subnets per VLAN within the URT Administrator Server interface.

Q. If the Active Directory or RADIUS authentication server fails, how can a user log on to the network via Cisco Secure URT?

A. Ideally, you would have multiple Windows 2000 domain controllers that share the same Active Directory schema. If one were to fail, another one can take the place of a failed domain controller and authenticate clients. URT can talk to a backup domain controller automatically if the primary were to fail. Also, URT allows redundant RADIUS servers (belonging to a single domain) to be specified for Web client authentication, and if one were to fail, another can be queried. This assumes that the user databases are synchronized to ensure that clients can still log on even if the primary authentication server fails.

Q. Can this product work with end stations that have static IP addresses (non-DHCP environments)?

A. No. DHCP is a critical component of the overall solution. DHCP is used for issuing an IP address on the logon VLAN when the user first attaches to the network, and then for reissuing new addresses to clients after they have been identified by the URT server and are placed in their assigned VLAN. Users who do not use DHCP will remain in the logon VLAN, and they will not be able to connect to corporate servers.

Q. How much expertise is needed to install and use Cisco Secure URT?

A. The network administrator needs to be familiar with URT overall functionality, with Microsoft Windows NT or 2000 domain controllers or Novell NDS servers, with DHCP clients, and with VLAN/VTP configuration within Cisco Catalyst switches.

Q. Can Cisco Secure URT work with multiple NT domains?

A. Yes. Customers can administer multiple NT users or groups from the URT administration interface.

Q. Can Cisco Secure URT work with multiple VTP domains?

A. Yes. Customers can configure users to belong to multiple VTP domains or VLANs. Furthermore, URT can centrally place and handle VMPS client requests from multiple VTP domains because these requests carry the VTP designation with them when they are forwarded to the VPS server.

Q. Do I need to preserve my VPS database when I totally reinstall software on it?

A. The VPS database does not need to be backed up because you can reinitialize it from the Administrator Server. You first delete the VPS from the administration interface. When you add the VPS again, all the required data is reloaded from the Administrator Server.

Q. Can I install the Cisco Secure URT Client Module from a CD or floppy disk?

A. No. Cisco Secure URT client modules are installed automatically during the first login attempt for Windows 98 clients and are pushed from the administration interface for Windows NT or Windows 2000 clients.

Q. How does the "multiple user per port" feature work in Cisco Secure URT v2.5?

A. Cisco Secure URT v2.5 enables multiple users on a switch port at a time. This works with the first user authenticating and changing to the appropriate user VLAN. All systems on this port are then allowed to use the same assigned VLAN. However, each user on the port is not put into his own VLAN. Thus the switch port has one VLAN for all the systems.

Q. Does the multiple-user-per-port feature in Cisco Secure URT v2.5 apply also to MAC-to-VLAN assignments?

A. No. For security purposes, if more than one MAC address is presented on a specific port, the URT moves the port to the logon VLAN once the switch notifies URT of such a state.

Compatibility and System Requirements

Q. What new Cisco switches does Cisco Secure URT v2.5 support?

A. For a complete list of supported switches and devices, refer to Supported devices for Cisco Secure URT v2.5.

Q. What types of clients work with Cisco Secure URT v2.5?

A. Cisco Secure URT supports Windows as well as Macintosh and Linux clients. For a complete list of supported operating systems and service packs, refer to the Cisco Secure URT v2.5 Release notes.

Q. Does Cisco Secure URT v2.5 support Windows XP clients?

A. Yes. Cisco Secure URT v2.5 supports Windows XP Home and professional clients.

Q. Does Cisco Secure URT v2.5 support any RADIUS server?

A. Cisco Secure URT v2.5 supports any Internet Engineering Task Force (IETF)-compliant RADIUS server that supports Vendor-Specific Attribute No. 26.

Q. Does Cisco Secure URT require Windows Internet Naming Service (WINS) support?

A. WINS is required for a Windows NT environment (client or server). However, WINS is not required for a strictly Windows 2000 environment in which Dynamic Domain Name System (DNS) can be a replacement.

Packaging, Ordering, Upgrading, and Support

Q. What are the upgrade paths for Cisco Secure URT Version 1.x and Version 2.0 customers?

A. Cisco provides the following paths for existing customers:

Q. Are there any changes to Cisco Secure URT v2.5 packaging from Cisco Secure URT v2.0?

A. Yes. The Cisco Secure URT v2.5 Starter Pack now includes only one VPS appliance (instead of two). This new packaging better reflects how customers are using and deploying the Cisco Secure URT solution. Standalone VPS appliances can be ordered separately if customers want to distribute or scale Cisco Secure URT functionality throughout a larger network or use the Web logon feature in URT v2.5

Q. What is the minimum number of VPS appliances in a typical Cisco Secure URT deployment?

A. One. However, to take advantage of the Web logon capabilities, Cisco recommends having a dedicated VPS appliance to serve Web clients. Additional VPS appliances should be ordered as needed to allow distributed and redundant designs. Refer to the Cisco Secure URT v2.5 Design Guide for more recommendations.

Q. Does the Cisco Secure URT v2.5 include the same Cisco VPS 1100 Series appliances as Version 2.0?

A. No. Cisco Secure URT v2.5 includes the higher-performance Cisco 1102 VPS appliance. The Cisco 1102 appliance retains same the functionality of the Cisco 1100 appliance but with higher processor power and more memory capacity.

Q. Do I have to replace my Cisco 1100 Series VPS appliances when I order the Cisco Secure URT v2.5 upgrade package?

A. Yes. The Cisco Secure URT v2.5 upgrade package does not include software for upgrading existing Cisco Secure URT v2.0 1100 appliances.

Q. Will Cisco Secure URT v2.5 be able to support the Cisco 1101 and 1102 VPS appliances in the same network?

A. Yes. Cisco Secure URT v2.5 will support a mixed environment of the Cisco 1101 and 1102 VPS appliances. Cisco Secure URT v2.0, however, will not. Customers must upgrade to Cisco Secure URT v2.5 before adding any new Cisco 1102 appliances.

Q. Will the Cisco Secure URT v2.5 software upgrade be posted on Cisco.com ?

A. Yes.

Q. Are service programs available to Cisco Secure URT v2.0 customers that would entitle them to no-charge upgrades to Cisco Secure URT v2.5?

A. Yes. Both Software Application Support (SAS) and SMARTnet for hardware are offered for Cisco Secure URT v2.0. These programs provide access to Cisco technical support and repairs of the VPS hardware as well as access to a no-charge upgrade to Cisco Secure URT v2.5 from Cisco.com.