How Session-Aware Networking Can Massively Scale Authentication and Access Policy Control
As enterprise networks become more complex, the demands and challenges to secure them are increasing. Increased mobility, wireless networks, and Bring Your Own Device (BYOD) initiatives have broadened the attack surface. Access security must be capable of scaling to accommodate the increased access demands of myriad devices.
Session Aware Networking (SANet) is a framework and set of features that provide authentication, access control, and user specific policies. The SANet re-architecture has evolved from being a single core Cisco IOS XE application to a horizontally scalable application adapting to Cisco’s database-centric programming model. The device state is now maintained in the database along with making use of the multicore capabilities of device platforms.
The decoupling of SANet features from the IOS XE daemon allows for much greater authentication scalability and flexibility in addressing various business requirements.
Scaling Access Security
SANet is the session management software on IOS XE-based devices and plays a vital role in Identity Based Networking Services (IBNS). Enterprise wired and wireless networking products that run IOS XE use SANet to handle session management (Figure 1). Having the same control plane software for session management across all Cisco enterprise product families that run IOS XE enables two things:
- Higher feature velocity and availability across all the products
- A uniform control plane across all Cisco products that enables the deployment of security policies at multiple locations in the network with ease
GFigure 1. SANet Architecture and Features
Following the principles of the IOS XE database-centric programming model and horizontally scalable architecture, SANet was designed to address the expanding scalability requirements of wired and wireless networks. For example, wireless LAN controllers may have higher scalability requirements compared to fixed-port switches. It offers a more consistent way to configure features across technologies, easy deployment, and customization of features. Having a single solution to address these diverse requirements simplifies through standardization.
The database-centric programming model, along with the IOS XE infrastructure, provides access to other features like compiler-integrated patching, integrated telemetry, and unified software tracing, to name a few. It also benefits from any future enhancements to the complete IOS XE stack, like process restart-ability, multi-tenancy, etcetera.
Multiple Authentication Methods and Comprehensive Policy Control
SANet provides an extensive list of authentication mechanisms and a robust policy framework that can apply policies defined locally or on an external server. Session insights or attributes are sent during authentication or accounting to a configured external server, like Cisco Identity Services Engine (ISE) or third-party servers, to make network policies flexible, consistent across the network, and easy to manage.
Authentication methods available with SANet include 802.1X, Web Authentication, and MAC Authentication Bypass (MAB). It is possible to use a combination of these methods to address various business requirements. For example, MAB followed by Web-based authentication may be used for various solutions that demand diverse types and combinations of session policies. Security policies like Access Control List (ACL) applied initially to a user session can change as an increased number of user identity details are learned. Or a policy may be applied to a guest user to limit the time that the user is allowed to be connected to the network.