© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 10
Effective Management
Cisco TrustSec combines authentication, authorization, and accounting (AAA), posture, profiler, and guest
management functions in a single, unified appliance, leading to simplified deployments and a single point of
management. All of this results in lower total cost of ownership.
Figure 1 illustrates how Cisco TrustSec delivers these functions using a Cisco Identity Service Engine (ISE)
server.
Figure 1. How Cisco TrustSec Works
Users and devices accessing wired, wireless, or remote networks are authenticated with a flexible access control
mechanism that supports different user roles, device types, operating systems, and access methods.
(Authentication methods are discussed in the
Architecture section of this paper.)
User identity can be mapped to roles using standard directory services or additional identity services. Depending
on whether the users are employees, contractors, visiting guests, or members of other user groups, the security
policy will dictate the appropriate network access to allow users to reach their network data, tools, and resources.
Posture assessment of endpoint devices (such as printers and IP phones) is part of the policy-based access
control process that helps ensure that the end device is compliant with the organization’s security policies. The
device assessment process also includes networking devices (such as switches, routers, and wireless access
points). Cisco TrustSec authenticates these networking devices before they become part of the network. Cisco
TrustSec supports many access methods transparently, including local LAN, branch offices, wireless, and remote
access.
After users gain the initial network access, their identity information can be captured and associated with their
subsequent network activities in a switching environment through Cisco Security Group Access technology
(see the
Architecture section for more details). Such identity information can be used in other parts of the network,
where an access control policy enforcement decision can be implemented. Identity-aware networks carry user role
information to these points so that a single access authentication event provides identity information to all policy
enforcement points, including destinations where resources such as shared files, databases, and system
(10 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales