User Guide for the Cisco Secure User Registration Tool Release 2.5
Understanding the Basics
Download this chapter
Understanding the BasicsUnderstanding the Basics
Download the complete book
This is a PDF version of the entire bookThis is a PDF version of the entire book (PDF - 2 MB)
give_us_feedback

Table of Contents

Understanding the Basics
 Understanding What URT Does
 Understanding VLAN Policies
 Processing User Logons and User Logoffs
 Implementing URT in Your Network

Understanding the Basics

User Registration Tool (URT) helps you simplify your network management and control access to key services in your network.

These topics provide basic information about how URT works:

Understanding What URT Does

User Registration Tool (URT) is a security application in the Cisco Secure product line that controls user access to the LAN. User access is granted through authentication to Windows NT, Novell Directory Services (NDS), or Active Directory (AD) domain controllers. Until a user is authenticated, URT places the user in a logon VLAN that cannot access corporate data servers.

URT facilitates enterprise security, mobile user access, and corporate reorganizations. You can develop VLAN-based security policies and make sure that users access only the authorized services.

As users move from system to system in your network, URT identifies them based on their logon username and applies the appropriate VLAN policy for each user. You can use URT to create and manage VLAN-based security policies based on a username or a user's membership in a group or organizational unit.

URT supports Microsoft Windows clients for traditional logon and Linux and MacOS clients for web logon.

For more information about the web browsers and client platforms supported, see Installation and Setup Guide for the Cisco Secure User Registration Tool.

Figure 1-1 shows the relationship between the required network resources and URT.

Note   The relationship in this illustration is only a generalization: you do not have to place all of the systems on the same network segment.

Figure 1-1   Role of URT in the Network


URT Components

Table 1-1 describes the URT components.

Table 1-1   URT Components

Component Function

VLAN Policy Server (VPS)

Runs on an external appliance and sets a client switch port based on logon username, group name, organizational unit, or MAC address. The VPS handles all logons and acts as a server, delivering VLAN policies to the switches on the network. The VPS has a DNS server and a web server for authenticating and assigning VLANs to web clients.

URT Administrative Server and URT Administrative GUI
(URT main window)
  • The URT Administrative Server stores your VLAN policies and updates the VPS with the VLAN policies.
  • The URT Administrative Graphical User Interface (GUI) lets you create VLAN policies and manage URT. You perform almost all URT functions from the URT main window (the main feature of the Administrative GUI).

Note When you start URT, the main window is displayed, and a separate DOS window (Java console) displays program status and error messages. The DOS window remains open while the Administrative GUI is running. When you close the DOS window, the main window also closes.

URT Client Module

Allows traditional users (those using non-web logons) to log onto the appropriate domain. You can install this module automatically on Windows NT and Windows 2000 client systems.

URT Web Client Interface

Lets web users log on and log off using a web browser. This Java-based interface prompts for a user ID, password, and authentication domain.

Domain server

A Microsoft or Novell server on which software (such as the URT Client Module) required for users' workstations is installed. Domain servers ensure that logons are channeled through the VPSs for VLAN assignments.

Note In this guide, the terms NT host and NT domain also refer to Windows 2000 hosts and Windows 2000 domains.

Lightweight Directory Access Protocol (LDAP) server

Provides authentication and policy management for traditional and web logon clients.

Remote Authentication Dial-In User Service (RADIUS) server

Provides authentication and policy management for web logon clients.

Other Components

Table 1-2 describes other components that URT accesses on the network.

Table 1-2   Other Components URT Accesses on the Network

Component Function

Switches

Because no URT components exist on switches, you must configure the switches in URT as VLAN Management Policy Server (VMPS) clients so they use the appropriate VPS.

Note You can enable the VMPS from the switch command-line interface.

DHCP server

The URT Client Module issues appropriate notifications to the VPS and issues DHCP requests to the DHCP server. For web logons, you must modify the DHCP setting for the logon VLAN so it uses the VPS as the DNS setting. When a user logs on from the web, the web page address is queried in DNS. The response to the query is the IP address of the current VPS.

Tips
  • To enable URT, switches must run the VMPS client.
  • When you configure switches to use a URT VPS, you are setting the switch VMPS configuration.
  • When configuring switches from the command line to use a URT VPS, you use the switch vmps commands.
  • You can use the URT main window to create host-based VLAN policies to run switch-based VMPSs for host-based VLAN policies.

Understanding Traditional Logons and Web Logons

Because traditional URT is not web-based, users log on using the Windows logon.

Note   Traditional logon applies only to Windows clients using Microsoft Networking or Novell NetWare.

Users can also log on from the web on Windows, Linux, and MacOS systems. Web clients are authenticated through LDAP or RADIUS servers.

The same URT Administrative Server and VPS can manage both traditional logons and web logons.

Note   To distinguish between the types of logons, the terms traditional logon and web logon are used in this guide.

URT Security Features

Table 1-3 describes the URT security features for both traditional logons and web logons.

Table 1-3   URT Security Features for Traditional Logons and Web Logons

Security Feature Description

Preventing access until authorized

The URT logon VLAN is used as the default VLAN for a VTP domain. Users are typically assigned to the logon VLAN during initial stages of logon, ensuring that they are authenticated before connecting to other VLANs on the network.

Detecting port down state

URT automatically places a port into the logon VLAN whenever the port state changes to down (for example, when a user disconnects a workstation).

Using secure link between client and VPS

URT security authentication and data encryption provide a more secure connection between the client and the URT VPS. URT uses these VScape Secure Packet Stream (VSPS) protocol specifications:

  • Diffie-Hellman key exchange (1024 bits).
  • HMAC-MD5 or HMAC-SHA1 for authenticating message payload.
  • Payload data field is encrypted (Twofish 256-bit block cipher, CBC mode).

Every client logon generates a different session key, thereby making client logon, client logoff, and sync packets more difficult for others to replay. For data encryption, URT generates four extra packets between the VPS and each logon client. Web clients also have built-in authentication using RADIUS or LDAP servers.

Using MAC security options

You can select only MAC-assigned VLANs and place unauthorized users in a security violation VLAN (rather than the default logon VLAN) or shut down unauthorized users' ports.

Understanding VLAN Policies

You can use both user-based (URT) and host-based (MAC address) VLAN policies in your network, as described in the following topics:

Using User-Based Policies

You can create user-based VLAN policies based on a Windows NT or Windows 2000 user or group name, or a Novell NetWare user or organizational unit name. Using these types of policies allows a user to move from one system to another and remain assigned to the appropriate VLAN and subnet (assuming that a single workstation is connected directly to a switch that supports URT).

User with mobile systems (such as laptops) can connect to any supported switch port and be connected to the correct VLAN and subnet. You must define the associated port as dynamic—if the port has a static VLAN assignment, URT does not override that assignment.

Using Host-Based Policies

You can create host-based VLAN policies by assigning a MAC address to a VLAN. Use host-based VLAN policies primarily with servers directly connected to a supported switch (for example, UNIX or Linux servers). To place a host that does not support user registration in a preassigned VLAN when it starts communicating on the network, you must create host-based VLAN policies.

To create a host-based VLAN policy, you assign VLANs based on the host MAC address associated with the system network interface card (NIC). Because the VLAN policy is based on the MAC address, the host is mapped to a VLAN as soon as it starts communicating on a port. Therefore, no user logon is required.

If there is a one-to-one correspondence between users and hosts (that is, users do not move from host to host), host and user registration provides essentially identical network policy control. Because the VLAN is based on the host MAC address, not the switch port, you can move the host to a different port and make sure that the same VLAN policy is applied. (For example, you can move a laptop between buildings.)

You can use a host-based VLAN policy with any host directly attached to a port on a supported switch. (For example, to register a network-attached server that no user can log onto, use a host-based VLAN policy.)

Note   You ca nnot use host-based VLAN policies with hosts attached to hubs, routers, or unsupported switches.

If you are using traditional logons, host-based VLAN policies allow you to include MacOS, Linux, UNIX, and other non-Windows types of hosts in your dynamic VLAN planning. You can also use host-based VLAN policies with Windows systems—even if the Windows version supports user registration.

Using Both User-Based and Host-Based Policies

You can combine user-based and host-based VLAN policies in the same network by mapping the host MAC address to a VLAN.

  • If a VLAN policy exists for a user who logs onto the host, the user is assigned to the user-based VLAN.
  • If no VLAN policy exists for another user who logs onto the host, the user is assigned to the host-based VLAN.

Therefore, for open use systems, you can define a more restrictive host-based VLAN while giving trusted users their typical user-based VLAN resources.

For client hosts that support both user-based and host-based VLAN policies:

  • URT allows you to create policies based on username, group, or organizational unit. Regardless of which host users log onto, they can access the same network resources.
Note    User-based policies work well with a mobile user base.
  • URT requires that you use TCP/IP with Microsoft Networking or Novell NetWare running over IP. If you do not want to use TCP/IP as the base protocol, you must use host-based VLAN policies.

Retaining MAC-to-VLAN Associations

URT has an option that determines whether systems logging onto the network with MAC-to-VLAN mappings retain those mappings or if they use URT user-based VLAN policies.

Step 1   Select Customize>Options.

The URT Options dialog box is displayed.

Step 2   Click the Logon tab.

Step 3   To keep these mappings, select the Retain MAC to VLAN Associations checkbox.

Note    If you select this option when the system does not have MAC-to-VLAN associations, user-based VLAN policies are used.

Step 4   Click OK.




How URT Assigns VLANs

User-based registration takes precedence over host-based VLAN policies. URT applies VLAN assignments in the priority order shown in Figure 1-2.


Figure 1-2   How URT Prioritizes VLAN Assignments


VLANs are assigned in the priority order described in Table 1-4.

Table 1-4   Priority in Assigning VLANs

Priority Description

URT option

If you have enabled the URT Retain MAC to VLAN Associations option and the MAC address is mapped to a VLAN, the host-based VLAN is used.

Username

If you assign a specific VLAN to a username, that VLAN is used.

Membership in an NT group, Active Directory group, or organizational unit

If a username is not assigned to a VLAN, URT determines whether the username is a member of an NT group, Active Directory group, or organizational unit. If the username is a member of one of these, URT uses the VLAN assigned to it.

MAC address

If a username does not have a VLAN assignment nor is it a member of a group or organizational unit that has a VLAN assignment, URT uses the VLAN assigned to the MAC address of the system (as a host-based VLAN policy).

Note For clients that do not support user registration, only the MAC address VLAN assignment is checked.

Logon VLAN

If there are no VLAN assignments for the username, group name, organizational unit, or MAC address, the user remains in the logon VLAN.

Processing User Logons and User Logoffs

After URT is initiated and a user logs onto the domain (and is authenticated using the VLAN policies previously defined through URT), the user is assigned to an appropriate VLAN and subnet and is automatically assigned a new IP address in the appropriate subnet from the DHCP server.

URT VPSs replace switch-based VMPSs in your network.

Note   Switches must continue to run the VMPS client to communicate with the URT VPSs.

Before URT places users in the mapped VLAN, they are placed in a logon VLAN that you define for the VTP domain using the URT Administrative GUI. The logon VLAN is used as the default VLAN, giving unmapped users network connectivity. The logon VLAN ensures that users can be authenticated before connecting to your network.

The URT logon process is transparent. However, to manage user logon and logoff processes transparently, URT starts a lightweight service in the background (that does not affect system performance) on the client system.

Users are assigned to their associated VLAN only if they connect to the network through a dynamic switch port. Table 1-5 shows the relationships among the switch port state, the URT VLAN policy, and the resulting VLAN.

Table 1-5   How Users are Placed in VLANs Using URT

Switch Port State User-Based or Host-Based VLAN Policy
in URT? 		Resulting VLAN

Dynamic

Yes

VLAN association defined in URT.

Dynamic

No

Logon VLAN defined in URT for the switch VTP domain.

Static

Yes

VLAN defined on the switch port. URT does not apply.

Static

No

VLAN defined on the switch port. URT does not apply.

Understanding Logon Processing

Users must log onto a domain server before gaining access to the network in their preassigned VLANs. Before URT places users in the mapped VLAN, they are placed in a logon VLAN that you define for the VTP domain (see the "Setting a Default Logon VLAN" section).

The logon VLAN is used as the default VLAN, giving unmapped users network connectivity. The logon VLAN ensures that users are authenticated before connecting to your network.

  • Figure 1-3 illustrates a traditional logon to URT on the network; Table 1-6 describes the logon sequence.
  • Figure 1-4 illustrates a web logon to URT on the network; Table 1-7 describes the logon sequence.

Figure 1-3   URT-Based Traditional Logon Sequence


Table 1-6   Description of Traditional Logon Sequence

Step Description

A1

After the client powers up the workstation, the first packet is sent to the switch.

A2

The switch sends a VLAN Query Protocol (VQP) packet to the URT VPS.

A3

The VPS returns a VQP response to the switch.

A4

The client is put into the logon or MAC VLAN.

A5

The client releases the IP address from the DHCP server.

A6

The client renews the IP address from the DHCP server.

B1

The user logs onto the domain through the domain controller.

B2

The urt.bat login script runs.

B3

A logon packet is sent to the VPS.

B4

If changing VLANs, the VPS returns a VQP response to the switch.

B5

The client is put into the user, group, or organization unit VLAN.

Note Process continues with step B7.

B6

If not changing VLANs, the VPS responds to the logon.

Note Process ends with this step.

B7

The client releases the IP address from the DHCP server.

B8

The client renews the IP address from the DHCP server.

B9

The second logon packet is sent to the VPS.

B10

The VPS responds to the logon request.


Figure 1-4   URT-Based Web Logon Sequence


Table 1-7   Description of Web Logon Sequence

Step Description

A1

After the client powers up the workstation, the first packet is sent to the switch.

A2

The switch sends a VLAN Query Protocol (VQP) packet to the URT VPS.

A3

The VPS returns a VQP response to the switch.

A4

The client is put into the logon or MAC VLAN.

A5

The client releases the IP address from the DHCP server.

A6

The client renews the IP address from the DHCP server.

B1

The client connects to the web server.

B2

The client downloads the web logon page from the web server.

B3

A logon packet is sent to the VPS.

B4

The URT VPS sends a packet to the LDAP or RADIUS server to authenticate the user.

B5

The LDAP or RADIUS server sends an authentication response to the VPS.

B6

If changing VLANs, the VPS returns a VQP response to the switch.

Note If authentication fails, process continues with step B7.

B7

The client is put into the user or group VLAN.

Note Process continues with step B9.

B8

If not changing VLANs, the VPS responds to the logon.

Note Process ends with this step.

B9

The client releases the IP address from the DHCP server.

B10

The client renews the IP address from the DHCP server.

B11

The second logon packet is sent to the VPS.

B12

The VPS responds to the logon request.

Differences Between Microsoft Networking and Novell NetWare

Handling of Microsoft Networking Logons

1. If the username is mapped to a VLAN, URT switches to the selected VLAN.

2. If the username is not mapped to a VLAN, but the user's primary group is mapped, URT switches to the group VLAN.

3. If neither of the previous two conditions applies, but the user is a member of any group mapped to a VLAN, URT switches to the group VLAN. (Select the first group in the Groups list that has a VLAN policy.)

4. If none of the previous three conditions apply, URT uses the default VLAN for the VTP domain.

Handling of Novell NetWare Logons

1. If the NDS username is mapped to a VLAN, URT switches to the selected VLAN.

2. If the NDS username is not mapped to a VLAN, but the user is a member of an organizational unit, URT switches to the organizational unit VLAN (if one is assigned).

3. URT checks VLAN policies to find organizational units that contain the user.

An example of an organizational unit for user Ken might be:

Ken.California.USA.NorthAmerica.

In this example, the organizational unit California contains the user Ken. URT looks for VLAN policies in the same order: Ken, then California. URT switches to the organizational unit-based VLAN policy for California (if one is found).

4. If neither of the previous conditions applies, URT uses the default VLAN for the VTP domain.

Web-Based Logon Authentication

URT supports web-based authentication for Windows, Linux, and MacOS clients through LDAP (Active Directory and NDS) and RADIUS servers. The VPS determines the VTP domain of the switch and uses the corresponding VLAN to assign the switch port VLAN.

Note   You must modify the DHCP setting so the logon VLAN uses the VPS as the DNS setting. When a user logs on from the web, the web page address is queried in DNS. The response to the query is the IP address of the current VPS system; the URT web logon page is then displayed.

For RADIUS servers, you must add a server attribute to indicate the VTP/VLAN assigned to a user. The RADIUS server returns this attribute when a user is successfully authenticated.

Understanding Logoff Processing

Figure 1-5 illustrates a user logging off the network with URT installed; Table 1-8 explains the logoff sequence.

Note   The process is essentially the same whether the user logs off from a Windows/NDS domain controller or from the web.

Figure 1-5   URT-Based Traditional and Web Logoff Sequence


Table 1-8   Description of Traditional and Web Logoff Sequence

Step Description

1

A logoff packet is sent to the URT VPS.

2

If changing VLANs, the VPS sends a VQP response to the switch.

3

The client is put into the logon/MAC VLAN.

Note Process continues with step 4.

4

If not changing VLANs, the VPS responds to the logoff.

Note Process ends with this step.

5

The client releases the IP address from the DHCP server.

6

The client renews the IP address from the DHCP server.

7

The second logoff packet is sent to the VPS.

8

The VPS responds to the logoff request.

Implementing URT in Your Network

After reading the material in this chapter to familiarize yourself with the URT basics, perform the following tasks to implement URT in your network.

Step 1   Import data from CiscoWorks2000 or a comma-separated value (CSV) file, then add switches manually. (See "Getting Started with URT.")

Step 2   Add VPSs and configure switches to use them. (See "Managing VLAN Policy Servers.")

Step 3   Configure domains, directories, and servers:

  • Configure domain options.
  • Install the URT logon script.
  • If applicable, add and configure RADIUS servers.
  • If applicable, add and configure LDAP servers.

(See "Setting Up Domains, Directories, and Servers.")

Step 4   Associate VLANs and users:

  • Enter subnets and masks for each VLAN.
  • Set a default logon VLAN.
  • Associate users to VLANs.

(See "Managing VLANs and Users.")

Step 5   Customize the Web Client Interface for web logons. (See "Setting Up and Using the URT Web Client Interface.")

Step 6   Install the URT Client Module for traditional logons (if not done automatically).
(See "Managing the Traditional Client Module.")

Step 7   (Optional.) You might need to remove URT from your network. (See "Removing URT.")