CiscoIBNS Technical Review

8/2/2019 CiscoIBNS Technical Review

1/48

2008 Cisco Systems, Inc. All rights reserved. 1

Introduction to IEEE802.1X and CiscoIdentity-BasedNetworking Services(IBNS)

Cisco


2/48


Abstract

Cisco Identity-Based Networking Services (IBNS)provides customized access control for wired LANnetworks.

Cisco IBNS is increasingly important in campus networksas enterprises look for security, visibility, and convergence

at the access edge.

Using IEEE 802.1X and supplementary technologies,Cisco IBNS is a network solution that provides the

foundation for dynamic, user-differentiated policy andadvanced network intelligence.


3/48


Basic Identity Concepts

What is an identity? An assertion of who we are

Allows us to differentiate between oneanother

What does an identity look like? Typical network identities include:

Username and password

Email address:[email protected]

MAC address: 00-0c-14-a4-9d-33

IP address: 10.0.1.199

Digital certificates

How do we use identities? Used to grant appropriate authorizations:

rights to services within a given domain


4/48


What Is Authentication and Authorization?

Authentication is the process of establishing and confirming theidentity of a client requesting services.

Authentication is useful only if used to establish correspondingauthorization (for example, access to a bank account).

I want to withdraw 200 euros please.

Do you have identification?

Yes, I do. Here it is.

Thank you. Here are your euros.

An Authentication System Is Only as Strongas the Method of Verification Used


5/48


Identity-EnabledNetworking

Applying the Authentication Model to theNetwork

I Want to Connect to the Network

Identification Required

Here Is My Identification

Identification VerifiedAccess Granted


6/48


Who are you?IEEE 802.1x (or supplementarymethod) authenticates the user

Why Is Cisco IBNS Important for the

Campus?

1

What Service Level Do You Receive?The user can be given per-user services(access control lists [ACLs] todaymore tocome)

3

What Are You Doing?The users identity and location canbe used for tracking and accounting

4

Where Can You Go?Based on authentication, user isplaced in correct VLAN

2

Keep the OutsidersOut

Keep the InsidersHonest

Personalize theNetwork

Increase Network

Visibility


7/48


New Business Environment DemandsIdentity

Contractors,Partners, and

Guests

Contractors,Partners, and

Guests

No Boundary for aGlobal and MobileWorkforce

No Boundary for aGlobal and MobileWorkforce

New and ChangingThreats

New and ChangingThreats

ComplianceCompliance

Accountability

for EmpoweredEmployees

Accountability

for EmpoweredEmployees

A recent Gartner survey indicates that

50% of enterprises plan to implement802.1X in their wired networks by 2011.Gartner believes that momentum will

increase strongly, and that actualenterprise adoption will reach 70% by2011.Gartner, Findings: Wired 802.1X Adoption on

the Rise, Lawrence Orans and John Pescatore,July 28, 2008


8/48


IEEE 802.1X: The Foundation of CiscoIBNS

TerminologyComponents

Protocols

Identification required

I Want to Connect to the Network.

Here is my identification

Identification VerifiedAccess Granted


9/48


IEEE 802.1X Terminology

CiscoSSC

Supplicant: IEEE 802.1XClient

Microsoft Native and Cisco

Secure Services Client (SSC)

Authenticator: Access Device Cisco Catalyst Switches and

Access Points

Authentication Server:RADIUS and AAA Server

Cisco Secure ACS and

Microsoft IAS and NPS

Back-End Database AD, LDAP


10/48


Alice checks out. Let Alice onVLAN 10.Success. You may now send

traffic to the network.

IEEE 802.1X Components

CiscoSSC

Who are you?

I am Alice.

Alice requests access

Tell Alice to send her passwordin encrypted tunnelSend your password in tunnel

Here is my encrypted password Alices encrypted password

SupplicantAuthenticator

Authentication Server

Layer 2 Point to Point Layer 4 Link

RELAY

Actual

Authentication

Method Is Policy

Dependent

Hi. Anybody home?


11/48


IEEE 802.1X Protocols

Extensible Authentication Protocol (EAP)

A flexible transport protocol used to carry arbitrary

authentication informationDefined by RFC 3748

Establishes and manages connections

Allows authentication by encapsulating various types of

authentication exchanges (EAP methods) EAP provides a flexible link layer security framework

Simple encapsulation protocol

No dependency on IP

Assumes no reordering

Can run over loss full or lossless media

Can run over any link layer (Point-to-Point Protocol [PPP], IEEE 802,etc.)

EAP over LAN = EAPoL


12/48


EAP Success

EAP Request:

Send Tunneled Password

EAP in Context

CiscoSSC

EAP ID Request

EAP ID Response

EAP Response: Alice

EAP Request:

Send Tunneled Password

EAP Response:Tunneled Password EAP Response:

Tunneled Password

EAP SuccessLet Alice onVLAN 10




EAPoL Start


13/48


IEEE 802.1X ProtocolsEAP Methods

EAP methods define the credential type and authentication methodto be used

Supplicant and authentication server must support the same method

Most common credential types are passwords and X.509 certificates

Certificates often increase complexity of deployment

Method ClientCredential Basis forEncryption Main Benefit

EAP-TLS Clientcertificate

Not required Highly secure

PEAP-MSCHAPv2 Usernameand password Server-certifiedTLS tunnel Does notrequire clientcertificate

EAP-FAST PAC Server PAC Requires nocertificates

Prevalent EAP Methods


14/48


Factors Promoting EAP Method Enterprise security policy

Certificate authority deployment

Requirements such as two-factor authentication may promote the choice of EAP-TLS

Client support

Windows XP supports EAP-TLS, PEAP with EAP-MSCHAPv2, and PEAP with EAP-TLS

Third-party supplicants support a large variety of EAP types, but not all

Authentication server support

RADIUS servers support a large variety of EAP types, but not all

Authentication store

PEAP with EAP-MSCHAPv2 can be used only with authentication stores thatstore passwords in MSCHAPv2 format

Not every identity store supports all EAP types

Customer choice of EAP type affects every other component


15/48


EAP Success

EAP Request: PEAP

EAP Method (PEAP) in Context

CiscoSSC

EAP ID Request

EAP ID Response

EAP Response: Alice

EAP Request: PEAP

EAP Response: PEAPClient Hello EAP Response: PEAP

Client Hello

EAP SuccessLet Alice onVLAN 10




EAPoL Start

PEAP Exchange


16/48


RADIUS acts as the transport for EAP from the authenticator to theauthentication server

RFC describing how RADIUS should support EAP between authenticatorand authentication server: RFC 3579

RADIUS is also used to carry policy instructions (authorization)back to the authenticator in the form of AV pairs

Usage guideline for IEEE 802.1X authenticators use of RADIUS: RFC3580

AV pairs = Attribute-value pairs

IEEE 802.1X Protocols

RADIUS

RADIUS Header EAP PayloadUDP HeaderIP Header

RADIUS Header EAP PayloadUDP HeaderIP Header AV Pairs


17/48


EAP Success

RADIUS Access Challenge[AVP: EAP Request: PEAP]

RADIUS in Context

CiscoSSC

EAP ID Request

EAP ID Response

RADIUS Access Request

[AVP: EAP Response: Alice]

EAP Request: PEAP

EAP Response: PEAP

RADIUS Access Request[AVP: EAP Response: PEAP]

RADIUS Access Accept[AVP: EAP Success]

[AVP: VLAN 10][AVP: VLAN 10]




EAPoL Start

MultipleChallenge-RequestExchanges

Possible


18/48


Next SectionWired IEEE 802.1X Port-BasedAccess Deployment


19/48


Why Is Identity Difficult in the Wired LAN?

WLANs

Relatively new technology

Required client from the beginningNo old-technology host issues to deal with

Remote-access VPN

Relatively new technology

Required a client from the beginning

No old-technology host issues to deal with

Wired Ethernet Networks Ethernet mature technology widely deployed

Never really required authentication client

20 years of older protocols, devices, operatingsystems, and applications, most of which were builtwith the assumption of open connectivity

IEEE 802.1X in Wired Environments A change from all this

Requires prior knowledge of device capabilitiesbefore configuring access port (major operatingexpense challenge)

FlexAuth: Single-port configuration withflexible authentication technology (IEEE802.1X, MAB, and WebAuth)

802.1X open mode: Enhanced IEEE802.1X authenticator (wired switches, etc.)to address OS, protocol, and managementapplication issues

IP Telephony (IPT) integrationenhancements: MDA

Simplification of MAB

Network access point (NAC) profiler: Providesendpoint discovery and profiling

Features to Help withWired IEEE 802.1X

Deployments


20/48


IEEE 802.1X: The Foundation of Identity

SupplicantSupplicant(IEEE 802.1X

Client) AuthenticationAuthenticationServerServer

(CiscoSecure ACS,

Etc.)

R

ADIUS

AuthenticatorAuthenticator(Switch, Access

Point, Etc.)

EAP over LAN

(EAPoL)RADIUS

IEEE 802.1 working group standardProvides port-based access control using authentication

Defines encapsulation forEAP over IEEE 802 media:

EAPoL

Enforcement using MAC-based filtering and port-

state monitoring


21/48


Default Port State Without IEEE 802.1X

No visibilityNo access control

No Authentication RequiredNo Authentication Required

SwitchPort

DHCP

TFTP

KRB5

HTTP

?

User


22/48


Default Security with 802.1X

No visibility (yet)Strict access control

Interface Fast Ethernet 3/48

Authentication Port-Control Auto

All Traffic Except EAPoL Is Dropped

One Physical Port >Two Virtual Ports

Uncontrolled Port (EAPoL Only)

Controlled Port (Everything Else)

Before AuthenticationBefore Authentication

SwitchPort

DHCP

TFTP

KRB5

HTTP

EAPoL

?

User


23/48


Default Security with 802.1X

User or device is known Identity-based access control

Single MAC per port

After AuthenticationAfter Authentication

Looks theSame asWithout

IEE 802.1X

Authenticated User: Sally


Authentication Port-Control AutoHaving read your mindSally, that is true. Unless

you apply an authorization,access is wide open. Wecan restrict access with

dynamic VLAN assignmentor downloadable ACLs.

?

SwitchPort

DHCP

TFTP

KRB5

HTTP


24/48


Default Security: Consequences

Default IEEE 802.1X ChallengeDefault IEEE 802.1X Challenge

Devices without supplicantscannot send EAPoL

No EAPoL = No access

Offline

No EAPoL = No Access


Authentication Port-Control Auto

One Physical Port >Two Virtual Ports

Uncontrolled Port (EAPoL Only)

Controlled Port (Everything Else)

SwitchPort

DHCP

TFTP

EAPo

L


25/48


Simplifying IEEE 802.1X Deployments

Challenge Cisco IOS Software

EnhancementClientless device Cisco IOS Software MAB plus NAC

Profiler

Host asset

management

Cisco IOS Software IEEE 802.1X

Open mode

Operation cost Cisco IOS Software flexibleauthentication (FlexAuth)

IPT integration Cisco IOS Software MDA

Cisco IOS Software EAPoL logoffand MAB inactivity timerCisco IOS Software CiscoDiscovery Protocol host connect TLV


26/48


interface fastEthernet 3/48authentication port-control automab

Authenticating Clientless Devices:MAC Authentication Bypass (MAB)

Same authorizations as IEEE 802.1X (VLAN or ACL)

Requires current database of known MAC addresses

End-Point Host Dot1x and MAB

00.0a.95.7f.de.06

EAP ID Request

Fallback to MAB

Learn MAC

RADIUS

RADIUS AccessRequest: 00.0a.95.7f.de.06

RADIUS Access AcceptPort Enabled

Link Up 1

4

EAP ID Request 2

EAP ID Request 3

5

6

78

0:000:010:050:100:200:30

0:000:010:050:100:200:30

0:000:010:050:100:200:30

Timeout

Timeout

Timeout

No Response

No Response

No Response


27/48


MAB Limitations and Challenges

MAB requires creation and maintenance of MAC

database

Default IEEE 802.1X timeout = 90 seconds90 seconds: Default MSFT DHCP timeout

90 seconds: Default PXE timeoutCurrent workaround: Timer tuning (always requires testing)

max-reauth-req: Maximum number of times (default = 2) that the switchretransmits an EAP ID Request frame on the wire

tx-period: Number of seconds (default = 30) that the switch waits for a

response to an EAP ID Request frame before retransmittingIEEE 802.1X Timeout = (max-reauth-req + 1) * tx-period


28/48


NACProfilerServer

NAC Profiler Collector

SNMP DHCP

interface range gigE 1/0/1 - 24switchport access vlan 30

switchport voice vlan 31snmp-server host 10.100.10.215 ROsnmp-server enable traps mac-notificationsnmp-server enable traps snmp linkup linkdown

interface VLAN 30ip helper-address 10.100.10.215

Port, MAC Address,Organizational Unique

Identifier, and Vendor ID

Simplifying MAB Deployments: NAC ProfilerBuild MAC Database Before Deploying IEEE 802.1X


29/48


NAC ProfilerQuery MAC Database After Deploying IEEE 802.1X

NAC ProfilerServer

ACS

RADIUS Access Request: 00-18-f8-09-cf-d71

LDAP:00-18-f8-09-cf-d7

2

LDAPSucce

ss

3

RADIUS Access Accept4

1. IEEE 802.1X times out and switch initiates MAB.

2. Cisco Secure Access Control Server (ACS) queries Profiler database

using LDAP.3. Profiler validates MAC address.

4. Cisco Secure ACS sends MAB success.

5. Switch enables port (with optional authorization).

interface range gigE 1/0/1 - 24

switchport access vlan 30switchport voice vlan 31authentication port-control automab

00-18-f8-09-cf-d7Port Enabled

5


30/48


Next SectionOpen Mode


31/48


Open Mode (No Restrictions)Open Mode (No Restrictions)

RADIUS Accounting Logs Provide Visibility Passed and failed IEEE 802.1X/EAP

attempts List of valid dot1x capable List of non-dotx capable

Passed and failed MAB attempts List of valid MAC addresses List of invalid or unknown MAC addresses

IEEE 802.1X and MAB: Open Mode

IEEE 802.1X and MABenabled

Open mode: Enabled All traffic in addition to EAP is

allowed

TFTPDH

CP

HTTP

EAP

SwitchPort


32/48


IEEE 802.1X and MAB: Open Mode

Selectively Open AccessSelectively Open Access

Open mode (pin hole) On specific TCP and UDP ports Restrict to specific addresses

EAP allowed (controlled port)

Block General Access UntilSuccessful IEEE 802.1X,

MAB or WebAuth

HTTPDHCP

PXES

erver

HTTP

S

Specific

DHCP

Serve

r

EAP

TFTP

Pin Hole Explicit TCP andUDP Ports to Allow

Desired Access


33/48


ANYANY (Before Authentication)

6506-2#show tcam interface g1/13 acl in ippermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any

Example: Open Mode on IEEE 802.1X

Port with Access Control

Cisco Catalyst 6500Series

IEEE 802.1X*Ethernet Port

Wired EthernetEnd Points

EAPEAP

DHCPDNS

DHCPDNS

PXEPXE

Cisco SecureACS and AAA

DHCPDNS

PXEServer

SampleOpen Mode

Configurations

Slide Source: Ken Hook

* Works on FlexAuth and MDA Enabled Ports

interface range gigE 1/0/1 - 24

switchport access vlan 30switchport voice vlan 31ip access-group UNAUTH inauthentication host-mode multi-domainauthentication openauthentication port-control automab

10.100.10.116

10.100.10.117

ip access-list extended UNAUTHpermit tcp any any establishedpermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftp

(After Authentication)6506-2#show tcam interface g1/13 acl in ip

permit ip host 10.100.60.200 anypermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any

IP: 10.100.60.200

RADIUS


34/48


Next SectionFlexible Authentication (FlexAuth)


35/48


Unknown MAC AccessAccept with URLRedirect

35

Flexible AuthenticationHost Roulette

EAP1X

MABMAB

URL

One Configuration Addresses All Use Cases and AllHost Modes

Controllable Sequence of Access ControlMechanisms, with Flexible Failure and FallbackAuthorization

Choice of Policy Enforcement Mechanisms: VLAN,Downloadable per-User ACL, and URL

IEEE 802.1X Times Out or Fails

WEB

Benefit: Greater Flexibility andDeterministic Behavior

Choice of Policy Enforcement

Mechanisms: VLAN, Downloadable

per-User ACL, and URL

Choice of Policy Enforcement

Mechanisms: VLAN, Downloadable

per-User ACL, and URL

802.1XClient

ValidHostAsset

GuestUser

Employee Partner

Faculty

SubContractor

Valid MACAddress

GuestUser

802.1XClient

ValidMACAddr Known MACAccess Accept

Port AuthorizedHostChange

EAP Credentials Sent andValidatedPort Authorized

interface GigabitEthernet1/13authentication host-mode multi-domainauthentication order dot1x mab webauthauthentication priority dot1x mab webauthauthentication port -control autodot1x pae authenticatorauthentication violation restrictauthentication fallback WEB-AUTH

mab


36/48


Next SectionIP Telephony Integration


37/48


38/48


39/48


1. Phone learns VVID from Cisco Discovery Protocol.

2. IEEE 802.1X times out.

3. Switch initiates MAB for phones MAC.

MDA for Cisco IP Phones

1

23 Access Request: Phone MAC

Access Accept: Phone VSA

Cisco Discovery Protocol

EAP

interface GigE 1/0/5

switchport mode accessswitchport access vlan 2switchport voice vlan 12authentication host-mode multi-domainauthentication port-control autodot1x pae authenticatormab

4EAP

5

No Supplicanton Phone

SSC

6

4. Cisco Secure ACS returns Access Accept with Vendor Specific Attribute (VSA)

for phones (device-traffic-class=voice).5. Switch allows phone traffic on either VLAN until phone sends tagged packet;

then only voice VLAN traffic is allowed.

6. Asynchronously, PC authenticates using IEEE 802.1X or MAB. Authenticated

PC traffic is allowed on the data VLAN only.


40/48


MDA in Action

3750-1(config-if)#do sh dot1x int G1/0/5 details

Dot1x Authenticator Client List

-------------------------------

Domain = DATA

Supplicant = 0014.5e42.66df

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE

Port Status = AUTHORIZEDAuthentication Method = Dot1x

Authorized By = Authentication Server

Domain = VOICE

Supplicant = 0016.9dc3.08b8

Auth SM State = AUTHENTICATEDAuth BEND SM State = IDLE

Port Status = AUTHORIZED

Authentication Method = MAB


3750-1(config-if)#do sh dot1x int G1/0/5 details

Dot1x Authenticator Client List-------------------------------

Domain = DATA

Supplicant = 0014.5e42.66df

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE

Port Status = AUTHORIZEDAuthentication Method = Dot1x


Domain = VOICE

Supplicant = 0016.9dc3.08b8

Auth SM State = AUTHENTICATEDAuth BEND SM State = IDLE

Port Status = AUTHORIZED

Authentication Method = MAB



41/48


42/48


43/48


44/48


45/48


IP Telephony Integration: Summary

Allows Cisco and Third-Party IP Phones WithoutSupplicants to be Identified and Authenticated

First-Hop Switch Snoops Protocols First-Hop Switch Proxies Requests to Authentication

Service

Customer Benefits Allows More Devices to Participate in the

Identity Network Eliminates Capital and Operating Expenses for

Upgrade and Replacement of All IP Phones

Use Case: PC Disconnect Behind an IP Phone

Inactivity Timers

Supplicant

1

2VVID

EAPOL Logoff

Cisco DiscoveryProtocolNotification

3


46/48


Main Points

Cisco Identity-Based Networking Services (IBNS)provides a security foundation for customers

New Cisco IBNS features simplify deployments andoperations


47/48


Additional ResourcesCisco IBNS Website:

http://www.cisco.com/go/ibns

Products:Cisco Catalyst 6500 Series Switches

http://www.cisco.com/go/6500

Cisco Catalyst 4500 Series Switches

http://www.cisco.com/go/4500Cisco Catalyst 3750 Series Switches


Cisco Catalyst 3560 Series Switches

http://www.cisco.com/go/3560Cisco Catalyst 2960 Series Switches



48/48


Documents

CiscoIBNS Technical Review