Understanding the Basics

User Registration Tool (URT) helps you simplify your network management and control access to key services in your network.

Understanding What URT Does

User Registration Tool (URT) is a security application in the Cisco Secure product line that controls user access to the LAN. User access is granted through authentication to Windows NT, Novell Directory Services (NDS), or Active Directory (AD) domain controllers. Until a user is authenticated, URT places the user in a logon VLAN that cannot access corporate data servers.

URT facilitates enterprise security, mobile user access, and corporate reorganizations. You can develop VLAN-based security policies and make sure that users access only the authorized services.

As users move from system to system in your network, URT identifies them based on their logon username and applies the appropriate VLAN policy for each user. You can use URT to create and manage VLAN-based security policies based on a username or a user's membership in a group or organizational unit.

URT supports Microsoft Windows clients for traditional logon and Linux and MacOS clients for web logon.

For more information about the web browsers and client platforms supported, see Installation and Setup Guide for the Cisco Secure User Registration Tool.

Figure 1-1 shows the relationship between the required network resources and URT.

URT Components

Table 1-1 URT Components

Component	Function
VLAN Policy Server (VPS)	Runs on an external appliance and sets a client switch port based on logon username, group name, organizational unit, or MAC address. The VPS handles all logons and acts as a server, delivering VLAN policies to the switches on the network. The VPS has a DNS server and a web server for authenticating and assigning VLANs to web clients.
URT Administrative Server and URT Administrative GUI (URT main window)	The URT Administrative Server stores your VLAN policies and updates the VPS with the VLAN policies. The URT Administrative Graphical User Interface (GUI) lets you create VLAN policies and manage URT. You perform almost all URT functions from the URT main window (the main feature of the Administrative GUI). Note When you start URT, the main window is displayed, and a separate DOS window (Java console) displays program status and error messages. The DOS window remains open while the Administrative GUI is running. When you close the DOS window, the main window also closes.
URT Client Module	Allows traditional users (those using non-web logons) to log onto the appropriate domain. You can install this module automatically on Windows NT and Windows 2000 client systems.
URT Web Client Interface	Lets web users log on and log off using a web browser. This Java-based interface prompts for a user ID, password, and authentication domain.
Domain server	A Microsoft or Novell server on which software (such as the URT Client Module) required for users' workstations is installed. Domain servers ensure that logons are channeled through the VPSs for VLAN assignments. Note In this guide, the terms NT host and NT domain also refer to Windows 2000 hosts and Windows 2000 domains.
Lightweight Directory Access Protocol (LDAP) server	Provides authentication and policy management for traditional and web logon clients.
Remote Authentication Dial-In User Service (RADIUS) server	Provides authentication and policy management for web logon clients.

Other Components

Table 1-2 Other Components URT Accesses on the Network

Component	Function
Switches	Because no URT components exist on switches, you must configure the switches in URT as VLAN Management Policy Server (VMPS) clients so they use the appropriate VPS. Note You can enable the VMPS from the switch command-line interface.
DHCP server	The URT Client Module issues appropriate notifications to the VPS and issues DHCP requests to the DHCP server. For web logons, you must modify the DHCP setting for the logon VLAN so it uses the VPS as the DNS setting. When a user logs on from the web, the web page address is queried in DNS. The response to the query is the IP address of the current VPS.

Component

Function

Switches

Because no URT components exist on switches, you must configure the switches in URT as VLAN Management Policy Server (VMPS) clients so they use the appropriate VPS.

Note You can enable the VMPS from the switch command-line interface.

DHCP server

The URT Client Module issues appropriate notifications to the VPS and issues DHCP requests to the DHCP server. For web logons, you must modify the DHCP setting for the logon VLAN so it uses the VPS as the DNS setting. When a user logs on from the web, the web page address is queried in DNS. The response to the query is the IP address of the current VPS.

Tips

Understanding Traditional Logons and Web Logons

Users can also log on from the web on Windows, Linux, and MacOS systems. Web clients are authenticated through LDAP or RADIUS servers.

The same URT Administrative Server and VPS can manage both traditional logons and web logons.

URT Security Features

Table 1-3 describes the URT security features for both traditional logons and web logons.

Table 1-3 URT Security Features for Traditional Logons and Web Logons

Security Feature	Description
Preventing access until authorized	The URT logon VLAN is used as the default VLAN for a VTP domain. Users are typically assigned to the logon VLAN during initial stages of logon, ensuring that they are authenticated before connecting to other VLANs on the network.
Detecting port down state	URT automatically places a port into the logon VLAN whenever the port state changes to down (for example, when a user disconnects a workstation).
Using secure link between client and VPS	URT security authentication and data encryption provide a more secure connection between the client and the URT VPS. URT uses these VScape Secure Packet Stream (VSPS) protocol specifications: Diffie-Hellman key exchange (1024 bits). HMAC-MD5 or HMAC-SHA1 for authenticating message payload. Payload data field is encrypted (Twofish 256-bit block cipher, CBC mode). Every client logon generates a different session key, thereby making client logon, client logoff, and sync packets more difficult for others to replay. For data encryption, URT generates four extra packets between the VPS and each logon client. Web clients also have built-in authentication using RADIUS or LDAP servers.
Using MAC security options	You can select only MAC-assigned VLANs and place unauthorized users in a security violation VLAN (rather than the default logon VLAN) or shut down unauthorized users' ports.

Understanding VLAN Policies

You can use both user-based (URT) and host-based (MAC address) VLAN policies in your network, as described in the following topics:

Using User-Based Policies

You can create user-based VLAN policies based on a Windows NT or Windows 2000 user or group name, or a Novell NetWare user or organizational unit name. Using these types of policies allows a user to move from one system to another and remain assigned to the appropriate VLAN and subnet (assuming that a single workstation is connected directly to a switch that supports URT).

User with mobile systems (such as laptops) can connect to any supported switch port and be connected to the correct VLAN and subnet. You must define the associated port as dynamic—if the port has a static VLAN assignment, URT does not override that assignment.

Using Host-Based Policies

You can create host-based VLAN policies by assigning a MAC address to a VLAN. Use host-based VLAN policies primarily with servers directly connected to a supported switch (for example, UNIX or Linux servers). To place a host that does not support user registration in a preassigned VLAN when it starts communicating on the network, you must create host-based VLAN policies.

To create a host-based VLAN policy, you assign VLANs based on the host MAC address associated with the system network interface card (NIC). Because the VLAN policy is based on the MAC address, the host is mapped to a VLAN as soon as it starts communicating on a port. Therefore, no user logon is required.

If there is a one-to-one correspondence between users and hosts (that is, users do not move from host to host), host and user registration provides essentially identical network policy control. Because the VLAN is based on the host MAC address, not the switch port, you can move the host to a different port and make sure that the same VLAN policy is applied. (For example, you can move a laptop between buildings.)

You can use a host-based VLAN policy with any host directly attached to a port on a supported switch. (For example, to register a network-attached server that no user can log onto, use a host-based VLAN policy.)

If you are using traditional logons, host-based VLAN policies allow you to include MacOS, Linux, UNIX, and other non-Windows types of hosts in your dynamic VLAN planning. You can also use host-based VLAN policies with Windows systems—even if the Windows version supports user registration.

Using Both User-Based and Host-Based Policies

You can combine user-based and host-based VLAN policies in the same network by mapping the host MAC address to a VLAN.

Therefore, for open use systems, you can define a more restrictive host-based VLAN while giving trusted users their typical user-based VLAN resources.

Retaining MAC-to-VLAN Associations

URT has an option that determines whether systems logging onto the network with MAC-to-VLAN mappings retain those mappings or if they use URT user-based VLAN policies.

Step 3 To keep these mappings, select the Retain MAC to VLAN Associations checkbox.

How URT Assigns VLANs

User-based registration takes precedence over host-based VLAN policies. URT applies VLAN assignments in the priority order shown in Figure 1-2.

Table 1-4 Priority in Assigning VLANs

Priority	Description
URT option	If you have enabled the URT Retain MAC to VLAN Associations option and the MAC address is mapped to a VLAN, the host-based VLAN is used.
Username	If you assign a specific VLAN to a username, that VLAN is used.
Membership in an NT group, Active Directory group, or organizational unit	If a username is not assigned to a VLAN, URT determines whether the username is a member of an NT group, Active Directory group, or organizational unit. If the username is a member of one of these, URT uses the VLAN assigned to it.
MAC address	If a username does not have a VLAN assignment nor is it a member of a group or organizational unit that has a VLAN assignment, URT uses the VLAN assigned to the MAC address of the system (as a host-based VLAN policy). Note For clients that do not support user registration, only the MAC address VLAN assignment is checked.
Logon VLAN	If there are no VLAN assignments for the username, group name, organizational unit, or MAC address, the user remains in the logon VLAN.

Processing User Logons and User Logoffs

After URT is initiated and a user logs onto the domain (and is authenticated using the VLAN policies previously defined through URT), the user is assigned to an appropriate VLAN and subnet and is automatically assigned a new IP address in the appropriate subnet from the DHCP server.

Before URT places users in the mapped VLAN, they are placed in a logon VLAN that you define for the VTP domain using the URT Administrative GUI. The logon VLAN is used as the default VLAN, giving unmapped users network connectivity. The logon VLAN ensures that users can be authenticated before connecting to your network.

The URT logon process is transparent. However, to manage user logon and logoff processes transparently, URT starts a lightweight service in the background (that does not affect system performance) on the client system.

Users are assigned to their associated VLAN only if they connect to the network through a dynamic switch port. Table 1-5 shows the relationships among the switch port state, the URT VLAN policy, and the resulting VLAN.

Table 1-5 How Users are Placed in VLANs Using URT

Switch Port State	User-Based or Host-Based VLAN Policy in URT?	Resulting VLAN
Dynamic	Yes	VLAN association defined in URT.
Dynamic	No	Logon VLAN defined in URT for the switch VTP domain.
Static	Yes	VLAN defined on the switch port. URT does not apply.
Static	No	VLAN defined on the switch port. URT does not apply.

Understanding Logon Processing

Users must log onto a domain server before gaining access to the network in their preassigned VLANs. Before URT places users in the mapped VLAN, they are placed in a logon VLAN that you define for the VTP domain (see the "Setting a Default Logon VLAN" section).

The logon VLAN is used as the default VLAN, giving unmapped users network connectivity. The logon VLAN ensures that users are authenticated before connecting to your network.

Table 1-6 Description of Traditional Logon Sequence

Step	Description
A1	After the client powers up the workstation, the first packet is sent to the switch.
A2	The switch sends a VLAN Query Protocol (VQP) packet to the URT VPS.
A3	The VPS returns a VQP response to the switch.
A4	The client is put into the logon or MAC VLAN.
A5	The client releases the IP address from the DHCP server.
A6	The client renews the IP address from the DHCP server.
B1	The user logs onto the domain through the domain controller.
B2	The urt.bat login script runs.
B3	A logon packet is sent to the VPS.
B4	If changing VLANs, the VPS returns a VQP response to the switch.
B5	The client is put into the user, group, or organization unit VLAN. Note Process continues with step B7.
B6	If not changing VLANs, the VPS responds to the logon. Note Process ends with this step.
B7	The client releases the IP address from the DHCP server.
B8	The client renews the IP address from the DHCP server.
B9	The second logon packet is sent to the VPS.
B10	The VPS responds to the logon request.

Table 1-7 Description of Web Logon Sequence

Step	Description
A1	After the client powers up the workstation, the first packet is sent to the switch.
A2	The switch sends a VLAN Query Protocol (VQP) packet to the URT VPS.
A3	The VPS returns a VQP response to the switch.
A4	The client is put into the logon or MAC VLAN.
A5	The client releases the IP address from the DHCP server.
A6	The client renews the IP address from the DHCP server.
B1	The client connects to the web server.
B2	The client downloads the web logon page from the web server.
B3	A logon packet is sent to the VPS.
B4	The URT VPS sends a packet to the LDAP or RADIUS server to authenticate the user.
B5	The LDAP or RADIUS server sends an authentication response to the VPS.
B6	If changing VLANs, the VPS returns a VQP response to the switch. Note If authentication fails, process continues with step B7.
B7	The client is put into the user or group VLAN. Note Process continues with step B9.
B8	If not changing VLANs, the VPS responds to the logon. Note Process ends with this step.
B9	The client releases the IP address from the DHCP server.
B10	The client renews the IP address from the DHCP server.
B11	The second logon packet is sent to the VPS.
B12	The VPS responds to the logon request.

Differences Between Microsoft Networking and Novell NetWare

Handling of Microsoft Networking Logons

2. If the username is not mapped to a VLAN, but the user's primary group is mapped, URT switches to the group VLAN.

3. If neither of the previous two conditions applies, but the user is a member of any group mapped to a VLAN, URT switches to the group VLAN. (Select the first group in the Groups list that has a VLAN policy.)

4. If none of the previous three conditions apply, URT uses the default VLAN for the VTP domain.

Handling of Novell NetWare Logons

2. If the NDS username is not mapped to a VLAN, but the user is a member of an organizational unit, URT switches to the organizational unit VLAN (if one is assigned).

In this example, the organizational unit California contains the user Ken. URT looks for VLAN policies in the same order: Ken, then California. URT switches to the organizational unit-based VLAN policy for California (if one is found).

4. If neither of the previous conditions applies, URT uses the default VLAN for the VTP domain.

Web-Based Logon Authentication

URT supports web-based authentication for Windows, Linux, and MacOS clients through LDAP (Active Directory and NDS) and RADIUS servers. The VPS determines the VTP domain of the switch and uses the corresponding VLAN to assign the switch port VLAN.

For RADIUS servers, you must add a server attribute to indicate the VTP/VLAN assigned to a user. The RADIUS server returns this attribute when a user is successfully authenticated.

Understanding Logoff Processing

Figure 1-5 illustrates a user logging off the network with URT installed; Table 1-8 explains the logoff sequence.

Table 1-8 Description of Traditional and Web Logoff Sequence

Step	Description
1	A logoff packet is sent to the URT VPS.
2	If changing VLANs, the VPS sends a VQP response to the switch.
3	The client is put into the logon/MAC VLAN. Note Process continues with step 4.
4	If not changing VLANs, the VPS responds to the logoff. Note Process ends with this step.
5	The client releases the IP address from the DHCP server.
6	The client renews the IP address from the DHCP server.
7	The second logoff packet is sent to the VPS.
8	The VPS responds to the logoff request.

Implementing URT in Your Network

After reading the material in this chapter to familiarize yourself with the URT basics, perform the following tasks to implement URT in your network.

Step 7 (Optional.) You might need to remove URT from your network. (See "Removing URT.")

Table of Contents