Authentication and Authorization Policies: Using Cisco Identity Services Engine in a BYOD World
The previous chapter focused on the levels of authorization you should provide for users and devices based on your logical Security Policy. You will build policies in ISE that employ those authorization results, such as Downloadable Access Lists and Authorization Profiles to accommodate the enforcement of that “paper policy.”
These authorization results are the end result; the final decision of a login session or a particular stage of a login session.
This chapter examines how to build the Authentication and Authorization Policies that will eventually assign those results that were created in Chapter 12. These policies can be equated to the rules in a firewall and are constructed in a similar fashion.
Relationship Between Authentication and Authorization
Many IT professionals, especially those with wireless backgrounds, tend to confuse these terms and what they actually do. Wireless is used as an example here, because it went through such tremendous growth over the last few years, and with that growth, appeared increased security. Wireless was the most prevalent use-case of 802.1X authentication, and in the vast majority of wireless environments, a user was given full network access as long as her username and password were correct (meaning that authentication was successful).
An authentication is simply put: “validating credentials.” If you were to go into a bank and request a withdrawal from an account, it asks for ID. You pass your driver’s license to the bank teller, and the teller inspects the driver’s license, going through a checklist of sorts:
- Does the picture on the license look like the person in front of the teller’s window?
- Is the license from a recognized authority (i.e., one of the United States or a Military ID)?
Let’s say, for conversations sake, that you handed them a valid ID (authentication was successful); does that mean you are entitled to the money you asked for?
The next step of the bank teller is to check the account and ensure that the person requesting the withdrawal is entitled to complete that transaction. Perhaps you are allowed to withdraw up to $1,000, but no more. This is the process of authorization. Just having a successful authentication does not prove entitlement.
This is why most of the time working within a product like ISE is spent setting up and tuning the Authorization Policy. Authorization is where the bulk of the final decisions are made.