What's new in Identity Management:

1. Cisco IOS software Identity Enhancements
   
   • PKI Infrastructure Support
   • Ability to use digital certificates between routers instead of pre-shared keys
   • Makes deploying Site to Site VPN more scalable
   • PKI-AAA Integration
   • Extends PKI authentication to perform authorization based on digital certificates
   • Allows AAA server to push policy down to router, AAA says what services are permitted, router then builds ACL
   • Benefit, policy does not have to be individually administered for routers
   • Benefit, easy to change policy, since in AAA, not multiple individual routers
   • Secure RSA Private Key
   • If router is stolen, Boot Flash (ROMMON) hacked, and password recovery is attempted, the private key is erased
   • Protects against stolen routers being used
   • N-tier CA Chaining
   • Similar to how tiered DNS works
   • Starts at leaf, then traverses up tree to root seeking appropriate CA
   • Benefit is Geographic and Organizational scale
   • Authentication Proxy
   • Useful for split tunnel situations
   • Downloads per-user ACL from AAA after authenticating
   • HTTP, FTP, or telnet sessions initiated from either trusted (inside) or untrusted (outside)
   • Secure ARP
   • Associates Mac Address and IP Address before gaining access to a tunnel
   • Prevents hijacking of IP address
   • 802.1X
   • 802.1x port-level authentication on 3700 switch modules
2. Identity-Based Networking Services and IEEE 802.1x
   An architectural framework based on technology standards that allows the network administrator to implement true identity-based network access control and policy enforcement, right down to the user and individual access port level. IEEE 802.1x is an open-standards-based protocol for authenticating network clients (or ports) on a user-ID basis. IBNS and 802.1x are supported on all Cisco Catalyst switches, including Catalyst 6500, 4500, 3550, and 2950 switches, Cisco ACS Server as well as Cisco Aironet Access Points.