|
User Registration Tool (URT) helps you simplify your network management and control access to key services in your network.
These topics provide basic information about how URT works:
User Registration Tool (URT) is a security application in the Cisco Secure product line that controls user access to the LAN. User access is granted through authentication to Windows NT, Novell Directory Services (NDS), or Active Directory (AD) domain controllers. Until a user is authenticated, URT places the user in a logon VLAN that cannot access corporate data servers.
URT facilitates enterprise security, mobile user access, and corporate reorganizations. You can develop VLAN-based security policies and make sure that users access only the authorized services.
As users move from system to system in your network, URT identifies them based on their logon username and applies the appropriate VLAN policy for each user. You can use URT to create and manage VLAN-based security policies based on a username or a user's membership in a group or organizational unit.
URT supports Microsoft Windows clients for traditional logon and Linux and MacOS clients for web logon.
For more information about the web browsers and client platforms supported, see Installation and Setup Guide for the Cisco Secure User Registration Tool.
Figure 1-1 shows the relationship between the required network resources and URT.
Note The relationship in this illustration is only a generalization: you do not have to place all of the systems on the same network segment. |
Table 1-1 describes the URT components.
Table 1-2 describes other components that URT accesses on the network.
Table 1-2 Other Components URT Accesses on the Network
Because traditional URT is not web-based, users log on using the Windows logon.
Note Traditional logon applies only to Windows clients using Microsoft Networking or Novell NetWare. |
Users can also log on from the web on Windows, Linux, and MacOS systems. Web clients are authenticated through LDAP or RADIUS servers.
The same URT Administrative Server and VPS can manage both traditional logons and web logons.
Note To distinguish between the types of logons, the terms traditional logon and web logon are used in this guide. |
Table 1-3 describes the URT security features for both traditional logons and web logons.
Table 1-3 URT Security Features for Traditional Logons and Web Logons
You can use both user-based (URT) and host-based (MAC address) VLAN policies in your network, as described in the following topics:
You can create user-based VLAN policies based on a Windows NT or Windows 2000 user or group name, or a Novell NetWare user or organizational unit name. Using these types of policies allows a user to move from one system to another and remain assigned to the appropriate VLAN and subnet (assuming that a single workstation is connected directly to a switch that supports URT).
User with mobile systems (such as laptops) can connect to any supported switch port and be connected to the correct VLAN and subnet. You must define the associated port as dynamicif the port has a static VLAN assignment, URT does not override that assignment.
You can create host-based VLAN policies by assigning a MAC address to a VLAN. Use host-based VLAN policies primarily with servers directly connected to a supported switch (for example, UNIX or Linux servers). To place a host that does not support user registration in a preassigned VLAN when it starts communicating on the network, you must create host-based VLAN policies.
To create a host-based VLAN policy, you assign VLANs based on the host MAC address associated with the system network interface card (NIC). Because the VLAN policy is based on the MAC address, the host is mapped to a VLAN as soon as it starts communicating on a port. Therefore, no user logon is required.
If there is a one-to-one correspondence between users and hosts (that is, users do not move from host to host), host and user registration provides essentially identical network policy control. Because the VLAN is based on the host MAC address, not the switch port, you can move the host to a different port and make sure that the same VLAN policy is applied. (For example, you can move a laptop between buildings.)
You can use a host-based VLAN policy with any host directly attached to a port on a supported switch. (For example, to register a network-attached server that no user can log onto, use a host-based VLAN policy.)
Note You ca nnot use host-based VLAN policies with hosts attached to hubs, routers, or unsupported switches. |
If you are using traditional logons, host-based VLAN policies allow you to include MacOS, Linux, UNIX, and other non-Windows types of hosts in your dynamic VLAN planning. You can also use host-based VLAN policies with Windows systemseven if the Windows version supports user registration.
You can combine user-based and host-based VLAN policies in the same network by mapping the host MAC address to a VLAN.
Therefore, for open use systems, you can define a more restrictive host-based VLAN while giving trusted users their typical user-based VLAN resources.
For client hosts that support both user-based and host-based VLAN policies:
URT has an option that determines whether systems logging onto the network with MAC-to-VLAN mappings retain those mappings or if they use URT user-based VLAN policies.
The URT Options dialog box is displayed.
Step 2 Click the Logon tab.
Step 3 To keep these mappings, select the Retain MAC to VLAN Associations checkbox.
Note If you select this option when the system does not have MAC-to-VLAN associations, user-based VLAN policies are used. |
Step 4 Click OK.
User-based registration takes precedence over host-based VLAN policies. URT applies VLAN assignments in the priority order shown in Figure 1-2.
VLANs are assigned in the priority order described in Table 1-4.
Table 1-4 Priority in Assigning VLANs
After URT is initiated and a user logs onto the domain (and is authenticated using the VLAN policies previously defined through URT), the user is assigned to an appropriate VLAN and subnet and is automatically assigned a new IP address in the appropriate subnet from the DHCP server.
URT VPSs replace switch-based VMPSs in your network.
Note Switches must continue to run the VMPS client to communicate with the URT VPSs. |
Before URT places users in the mapped VLAN, they are placed in a logon VLAN that you define for the VTP domain using the URT Administrative GUI. The logon VLAN is used as the default VLAN, giving unmapped users network connectivity. The logon VLAN ensures that users can be authenticated before connecting to your network.
The URT logon process is transparent. However, to manage user logon and logoff processes transparently, URT starts a lightweight service in the background (that does not affect system performance) on the client system.
Users are assigned to their associated VLAN only if they connect to the network through a dynamic switch port. Table 1-5 shows the relationships among the switch port state, the URT VLAN policy, and the resulting VLAN.
Table 1-5 How Users are Placed in VLANs Using URT
Switch Port State | User-Based or Host-Based VLAN Policy in URT? |
Resulting VLAN |
---|---|---|
Users must log onto a domain server before gaining access to the network in their preassigned VLANs. Before URT places users in the mapped VLAN, they are placed in a logon VLAN that you define for the VTP domain (see the "Setting a Default Logon VLAN" section).
The logon VLAN is used as the default VLAN, giving unmapped users network connectivity. The logon VLAN ensures that users are authenticated before connecting to your network.
Table 1-6 Description of Traditional Logon Sequence
Table 1-7 Description of Web Logon Sequence
1. If the username is mapped to a VLAN, URT switches to the selected VLAN.
2. If the username is not mapped to a VLAN, but the user's primary group is mapped, URT switches to the group VLAN.
3. If neither of the previous two conditions applies, but the user is a member of any group mapped to a VLAN, URT switches to the group VLAN. (Select the first group in the Groups list that has a VLAN policy.)
4. If none of the previous three conditions apply, URT uses the default VLAN for the VTP domain.
1. If the NDS username is mapped to a VLAN, URT switches to the selected VLAN.
2. If the NDS username is not mapped to a VLAN, but the user is a member of an organizational unit, URT switches to the organizational unit VLAN (if one is assigned).
3. URT checks VLAN policies to find organizational units that contain the user.
An example of an organizational unit for user Ken might be:
Ken.California.USA.NorthAmerica.
In this example, the organizational unit California contains the user Ken. URT looks for VLAN policies in the same order: Ken, then California. URT switches to the organizational unit-based VLAN policy for California (if one is found).
4. If neither of the previous conditions applies, URT uses the default VLAN for the VTP domain.
URT supports web-based authentication for Windows, Linux, and MacOS clients through LDAP (Active Directory and NDS) and RADIUS servers. The VPS determines the VTP domain of the switch and uses the corresponding VLAN to assign the switch port VLAN.
Note You must modify the DHCP setting so the logon VLAN uses the VPS as the DNS setting. When a user logs on from the web, the web page address is queried in DNS. The response to the query is the IP address of the current VPS system; the URT web logon page is then displayed. |
For RADIUS servers, you must add a server attribute to indicate the VTP/VLAN assigned to a user. The RADIUS server returns this attribute when a user is successfully authenticated.
Figure 1-5 illustrates a user logging off the network with URT installed; Table 1-8 explains the logoff sequence.
Note The process is essentially the same whether the user logs off from a Windows/NDS domain controller or from the web. |
Table 1-8 Description of Traditional and Web Logoff Sequence
After reading the material in this chapter to familiarize yourself with the URT basics, perform the following tasks to implement URT in your network.
Step 2 Add VPSs and configure switches to use them. (See "Managing VLAN Policy Servers.")
Step 3 Configure domains, directories, and servers:
(See "Setting Up Domains, Directories, and Servers.")
Step 4 Associate VLANs and users:
(See "Managing VLANs and Users.")
Step 5 Customize the Web Client Interface for web logons. (See "Setting Up and Using the URT Web Client Interface.")
Step 6 Install the URT Client Module for traditional logons (if not done automatically).
(See "Managing the Traditional Client Module.")
Step 7 (Optional.) You might need to remove URT from your network. (See "Removing URT.")
Posted: Tue May 20 18:29:51 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.