Identity-Based
Networking Services provides a policy and identity-based framework in which
edge devices can deliver flexible and scalable services to subscribers. This
module provides information about what Identity-Based Networking Services is
and its features and benefits.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Identity-Based Networking Services
Understanding Identity-Based
Networking Services
Identity-Based
Networking Services provides an identity-based approach to access management
and subscriber management. It offers a consistent way to configure features
across technologies, a command interface that allows easy deployment and
customization of features, and a robust policy control engine with the ability
to apply policies defined locally or received from an external server to
enforce policy in the network.
The figure below
illustrates a typical deployment of Identity-Based Networking Services in a
physically distributed enterprise with a campus, branch offices, and remote
workers.
Figure 1. Sample
Deployment
Features in
Identity-Based Networking Services
Identity-Based
Networking Services includes the following features:
Cisco common
classification policy language (C3PL)-based identity configuration
Concurrent
authentication methods on a single session, including IEEE 802.1x (dot1x), MAC
authentication bypass (MAB), and web authentication
Downloadable
identity service templates
Extended RADIUS
change of authorization (CoA) support for querying, reauthenticating, and
terminating a session, port shutdown and port bounce, and activating and
deactivating an identity service template.
Local
authentication using Lightweight Directory Access Protocol (LDAP)
Locally defined
identity control policies
Locally defined
identity service templates
Per-user
inactivity handling across methods
Web
authentication support of common session ID
Web
authentication support of IPv6
Benefits of Identity-Based
Networking Services
Identity-based
solutions are essential for delivering access control for disparate groups such
as employees, contractors, and partners while maintaining low operating
expenses. Identity-Based Networking Services provides a consistent approach to
operational management through a policy and identity-based infrastructure
leading to faster deployment of new features and easier management of switches.
Identity-Based
Networking Services provides the following benefits:
An identity-based
framework for session management.
A robust policy
control engine to apply policies defined locally or received from an external
AAA server.
Faster deployment
and customization of features across access technologies.
A simpler and
consistent way to configure features across access methods, platforms, and
application domains.
Web Authentication
Support for Common Session ID
Identity-Based
Networking Services allows a single session identifier to be used for web
authentication sessions in addition to all 802.1X and MAB authenticated
sessions for a client. This session ID is used for all reporting purposes such
as show commands, MIBs, and RADIUS messages and allows users to distinguish
messages for one session from messages for other sessions. This common session
ID is used consistently across all authentication methods and features applied
to a session.
Web Authentication
Support of IPv6
Identity-Based
Networking Services introduces IPv6 support for web authentication. IPv6 is
supported for web authentication only when Identity-Based Networking Services
is explicitly configured. This means that you must permanently convert your
configuration to the Cisco common classification policy language (C3PL) display
mode by specifically configuring a Identity-Based Networking Services command
such as the
policy-map type control
subscriber command.
Authentication, authorization, and accounting (AAA)
configuration tasks
Authentication Authorization
and Accounting Configuration Guide
AAA
commands
Cisco IOS Security Command
Reference
Standards and RFCs
Standard/RFC
Title
RFC 5176
Dynamic Authorization
Extensions to RADIUS
Technical Assistance
Description
Link
The Cisco
Support and Documentation website provides online resources to download
documentation, software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve technical issues with
Cisco products and technologies. Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID and password.
Feature Information
for Identity-Based Networking Services Overview
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for
Identity-Based Networking Services Overview
Feature Name
Releases
Feature
Information
Web
Authentication Support of Common Session ID
Cisco IOS XE
Release 3.2SE
Allows a
single session identifier to be used for all web authentication sessions in
addition to 802.1X and MAB authenticated sessions.