PDF(151.3 KB) View with Adobe Reader on a variety of devices
Updated:June 2, 2009
Identity-Based Networking Services Overview
® Identity-Based Networking Services (IBNS) is an integrated solution that offers authentication, access control, and user policy enforcement to help secure network connectivity and resources. IBNS helps customers increase user productivity, reduce operating costs, increase visibility, and enforce policy compliance.
These components, together with an existing identity management infrastructure such as Microsoft Active Directory or LDAP-capable directory, provide policy enforcement at the network edge.
Figure 1. Basic IBNS Component
Cisco IBNS is an easy-to-deploy identity solution that incorporates extensive Cisco testing efforts, including feature development, regression testing, and solutions testing. The IBNS solution is based on real-life customer deployments and provides the following benefits:
• Strong authentication of users and devices on wired and wireless LANs
• Identity feature consistency across Cisco Catalyst switches
• Tight integration between various components in the solution: the authenticator, authentication server, and supplicant
• Architecture that allows a phased deployment approach that gradually introduces identity-based access control
• A solution that has been tested in-house and then hardened with alpha and beta customer testing
The solution also includes deployment and configuration guides.
• Cisco IBNS uses the following software versions:
• Cisco Secure Access Control System (ACS) Version 5.0
• Cisco Secure Services Client (SSC) Version 5.1
• Microsoft Windows XP and Vista supplicant
Cisco IBNS offers a phased, scenario-based deployment strategy so that customers can roll out the solution with minimal impact to end users. Monitoring, low-impact, and high security deployment modes apply specific combinations of features and configurations to satisfy a particular set of use cases (Table 1). Instead of starting "from scratch," you can follow the guidelines for a particular deployment scenario and then, if necessary, customize it to suit your network requirements.
Table 1. Deployment Modes for Cisco IBNS
Provides visibility into access on your network. Includes a pre-access-control deployment assessment and a policy evaluation
Reduces known issues with other protocol timeouts and networked services. Enables differentiated access through policy-driven downloadable access control lists (dACLs) based on identity or group.
High security mode
Provides the highest level of LAN-based access security for environments where access cannot be granted without authentication.
The following Cisco IBNS features are available across Cisco Catalyst switches:
• Flexible authentication sequencing: This feature provides a flexible fallback mechanism among IEEE 802.1X, MAC authentication bypass (MAB), and web authentication methods. It also allows switch administrators to control the sequence of the authentication methods. This simplifies identity configuration by providing a single set of configuration commands to handle different types of endpoints connecting to the switch ports. In addition, this feature allows users to configure any authentication method on a standalone basis. For example, MAB can be configured without requiring IEEE 802.1X configuration.
• IEEE 802.1X with open access: This feature allows 802.1X and MAB authentication without enforcing any kind of authorization. There is no impact to users or endpoints: They continue to get exactly the same kind of network access that they did before you deployed IBNS. Having visibility into the network gives you insight into who is getting access, who has an operational 802.1X client, who is already known to existing identity stores, and who has credentials, as well as other information.
• IEEE 802.1X, MAB, and web authentication with downloadable ACLs: This feature allows ACLs to be downloaded from the Cisco Secure ACS as policy enforcement after authentication using IEEE 802.1X, MAC authentication bypass, or web authentication.
• Cisco Discovery Protocol enhancement for second-port disconnect: For IP telephony environments, Cisco Discovery Protocol is enhanced to add a new Type-Length-Value (TLV) for the IP phone to indicate when a PC disconnects from the IP phone. Upon receiving this notification, the switch can clear the authentication session for the PC
• Inactivity timer for IEEE 802.1X and MAB: With this local inactivity timer for IEEE 802.1X and MAB, if the authenticated devices stay idle for longer than the defined period, the switch resets the security record of the devices.
• Multidomain authentication: This feature allows an IP phone (Cisco or non Cisco) and a PC to authenticate on the same switch port while it places them on appropriate voice and data VLANs.
• IEEE 802.1X with multiauth: Multiple authentications allows more than one host to authenticate on an IEEE 802.1X-enabled switch port. With multiauth, each host must authenticate individually before it can gain access to the network resources; this is necessary in a virtualized environment.
• Centralized web authentication: This feature allows the switch to redirect users using HTTP URL redirection to a central web authentication server or a guest access server for authentication before accessing the network resources.
• Common session ID: IEEE 802.1X and MAB will use a session ID identifier for all 802.1X and MAB authenticated sessions. This session ID will be used for all reporting purposes, such as show commands, MIBs, syslog, and RADIUS messages, and allows users to distinguish messages for one session from others.
The following Cisco IBNS features are available on Cisco Secure ACS 5.0:
• A distributed deployment model that enables large-scale deployments, such as identity deployment in a campus environment
• A powerful, attribute-driven rules-based policy model that addresses complex policy needs in a flexible manner
• Integrated advanced monitoring, reporting, and troubleshooting capabilities for maximum control and visibility
• Improved integration with external identity and policy databases, including Windows Active Directory and Lightweight Directory Access Protocol (LDAP)-accessible databases, simplifying policy configuration and maintenance
The following Cisco IBNS features are available on the Cisco Secure Services Client (SSC):
• A wireless interface that can be disabled when a wired connection is present, eliminating unwanted wireless bridging to the wired network
• An 802.1X identity-based network security framework
• Configuration and enforcement of access policies to protect corporate resources and assets
• Authenticated access to 802.1X wired and wireless LANs
Cisco Secure Access Control System (ACS) 5.0 Ordering Information
Cisco Secure ACS is a next-generation platform for centralized network identity and access control. Cisco Secure ACS 5.0 features a simple yet powerful rule-based policy model and a new, intuitive management interface designed for optimum control and visibility.
Cisco Secure ACS 5.0 is offered as a dedicated appliance, the Cisco 1120 Secure Access Control System, and as software for customers building a virtual infrastructure using VMWare ESX. The appliance and software versions of Cisco Secure ACS 5.0 support the same features. For system specifications, please view the data sheet at
Table 2 lists the part numbers for Cisco Secure ACS hardware and software.
Table 2. Cisco Secure ACS Ordering Information
Cisco Secure 1120 Appliance with preinstalled Cisco Secure ACS 5.0 and Base license
Cisco Secure ACS 5.0 software for VMWare with Base license
Cisco Secure ACS 5.0 Advanced Monitoring and Reporting add-on license
Cisco Secure ACS 5.0 Large Deployment add-on license
Cisco Secure Services Client Ordering Information
The Cisco Secure Services Client is a software application that enables businesses of all sizes to deploy a single authentication framework across endpoint devices for access to both wired and wireless networks. The Cisco Secure Services Client solution delivers simplified management, robust security, and lower total cost of ownership.
Table 3 lists the part numbers for Cisco Secure Services Client Version 5.1. To download the Cisco Secure Services Client, visit the
Cisco Ordering Home Page.
Table 3. Cisco SSC Ordering Information
Cisco Secure Services Client (Windows XP/2000)
Cisco Secure Services Client (Windows Vista)
Cisco Secure Services Client FIPS drivers (Windows XP only)
Cisco NAC Profiler Ordering Information
The Cisco NAC Profiler enhances the deployment and administration of Cisco IBNS by maintaining a real-time list of all network-attached endpoints, such as IP phones and networked printers.
Table 4. Cisco NAC Profiler Ordering Information
Cisco NAC Profiler Server
Cisco NAC Collector License for Cisco NAC 3350 Appliances
Cisco NAC Collector License for Cisco NAC 3310 Appliances
Cisco IBNS Feature Availability for Cisco Catalyst Switches
Table 5 describes the new Cisco IOS
® Software-based IBNS features available with enterprise-class Cisco Catalyst switches. All Cisco IOS Software releases are available for order now. Customers interested in purchasing these products can place orders through their normal sales channels.
Table 5. New Cisco IBNS Features for Enterprise-Class Switches
Cisco IOS Software Release for Catalyst 3000 Series Switches
Cisco IOS Software Release for Catalyst 4500 Series Switches
Cisco IOS Software Release for Catalyst 6500 Series Switches
Flexible authentication sequencing
IEEE 802.1X with open access
IEEE 802.1X, MAB, and web authentication with downloadable ACL
Cisco Discovery Protocol enhancement for second-port disconnect
Inactivity timer for IEEE 802.1X and MAB
IEEE 802.1X with multiauth
Centralized web authentication
Common session ID
For More Information
For more information about Cisco products, please contact your Cisco account manager or Cisco channel partner.