If you can't read please download the document
Upload
chicoxtr
View
131
Download
13
Tags:
Embed Size (px)
Citation preview
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1
Deploying Wired 802.1X
BRKSEC-2005
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 2
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions
Please remember this is a 'non-smoking' venue!
Please switch off your mobile phones
Please make use of the recycling bins provided
Please remember to wear your badge at all times including the Party
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 3
Session Objective
Understand base 802.1X concepts
Learn the benefits of deploying 802.1X
Learn how to configure and deploy 802.1X
Learn lessons on how to make it work when you get back to your lab
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 4
Agenda
802.1X and Wired Access
Default Functionality
Deployment Considerations
Reporting and Monitoring
Looking Forward
Deployment Case Study
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 5
AAA authentication on routers
IPSec authentication
In-depth concepts on identity management and single sign-on (upper layer identity)
Specific Extensible Authentication Protocol (EAP) methods in depth
X.509 certificates and PKI
Wireless LAN 802.1X
Switch Features that are not consistent across platforms
CatOS
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 6
802.1X and Wired Access
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 7
Who are you?
802.1X (or supplementary method) authenticates the user
Why is 802.1X Important in the Campus
1
What service level to you receive?
The user can be given per-user services (ACLs today, more to come)
3
What are you doing?
be used for tracking and accounting
4
Where can you go?
Based on authentication, user is placed in correct VLAN
2
Keep the Outsiders Out
Keep the Insiders Honest
Personalize the Network
Increase Network Visibility
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 8
Basic Identity Concepts
What is an identity?
an assertion of who we are.
allows us to differentiate between one another
What does it look like?
Typical Network Identities include
Username / Password
Email: [email protected]
MAC Address: 00-0c-14-a4-9d-33
IP Address: 10.0.1.199
Digital Certificates
How do we use identities?
Used to grant appropriate authorizations rights to services within a given domain
mailto:[email protected]2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 9
What Is Authentication? Authorization?
Authentication is the process of establishing and confirming the identity of a client requesting services
Authentication is only useful if used to establish corresponding authorization (e.g. access to a bank account)
200.00 Euros Please.
Do You Have Identification?
Yes, I Do. Here It Is.
An Authentication System Is Only as Strongas the Method of Verification Used
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 10
Identity and Authentication Are Important?
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 11
Identity-EnabledNetworking
Applying the Authentication Model to the Network
Identification required
Here is my identification
Identification verified, access granted!
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 12
Default Functionality
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 13
IEEE 802.1X
Standard set by the IEEE 802.1 working group
Is a framework designed to address and provide port-basedaccess control using authentication
802.1X is primarily an encapsulation definition for EAP over IEEE 802 media EAPOL (EAP over LAN) is the key protocol
Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point)
Assumes a secure connection
Actual enforcement is via MAC-based filtering and port-state monitoring
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 14
802.1X Port Access Control Model
Request for Service(Connectivity)
Backend AuthenticationSupport
Identity StoreIntegration
Authenticator
Switch
Router
WLAN AP
Identity Store/Management
MS Active Directory
LDAP
NDS
ODBC
Authentication Server
IAS / NPS
ACS
Any IETF RADIUS server
Supplicant
Desktop/laptop
IP phone
WLAN AP
Switch
SSC
Layer 2
Layer 3
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 15
802.1X Protocols
EAP RADIUS Store-Dependent
SSC
Layer 2Layer 3
EAP over LAN
(EAPoL)
EAP over WLAN
(EAPoW)
SupplicantAuthenticator
Authentication Server
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 16
802.1X - Extensible Authentication Protocol (EAP)
Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges
EAP provides a flexible link layer security framework
Simple encapsulation protocol
No dependency on IP
Few link layer assumptions
Can run over any link layer (PPP, 802, etc.)
Assumes no reordering
Can run over loss full or lossless media
Defined by RFC 3748
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 19
802.1X - RADIUS
RADIUS acts as the transport for EAP from the authenticator to the authentication server
RFC for how RADIUS should support EAP between authenticator and
authentication server RFC 3579
RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs
Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580
AV Pairs : Attribute-Values Pairs.
RADIUS Header EAP PayloadUDP HeaderIP Header
RADIUS Header EAP PayloadUDP HeaderIP Header AV Pairs
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 20
A Closer Look: IOS Switch Configuration
Port Unauthorized
aaa new - model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius - server host 10.100.100.100
radius - server key cisco123
dot1x system - auth - control
interface GigabitEthernet1/0/1
authentication port - control auto
dot1x pae authenticator
Cisco IOS
SSC
802.1X
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 21
A Closer Look:
Actual authentication is between client and
auth server using EAP. The switch is an EAP conduit, but aware of
802.1X RADIUS
EAP Method Dependent
Port Unauthorized
Port Authorized
EAPOL-Logoff
EAP-Auth Exchange Auth Exchange w/AAA Server
Auth Success & Policy Instructions
EAP-Success
EAP-Identity-Request
EAPOL-Start
EAP-Identity-Response
SSC
802.1X
Port Unauthorized
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 24
No visibility (yet)
Strict Access Control
interface fastEthernet 3/48
authentication port - control auto
ALL traffic except EAPoL is dropped
One Physical Port ->Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)
Before Authentication
?
USER
Default Security with 802.1X
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 25
User/Device is Known
Identity-based Access Control
Single MAC per port
Looks the same as without 802.1X
Authenticated User: Sally
interface fastEthernet 3/48
authentication port - control auto
dot1x pae authenticator
Default authorization is on or off. Dynamic VLANs or ACLs can be used to customize the user experience.
?
After Authentication
Default Security with 802.1X
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 26
Default 802.1x Challenge
Devices without supplicants
No EAPoL = No Access
Offline
No EAPoL / No Access
interface fastEthernet 3/48
authentication port - control auto
dot1x pae authenticator
Default Security: Consequences
One Physical Port ->Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 27
Assumed to Be Malicious
Hubs, Gratuitous ARPs, VMWare
VM
interface fastEthernet 3/48
authentication port - control auto
dot1x pae authenticator Multiple MACs on Port
Default Security: More Consequences
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 28
Deployment Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 29
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 30
Handling Non-802.1X Clients & Guests
Authenticate via less-secure method
MAC Authentication Bypass (MAB)
Web Auth (client must have browser)
Give them limited access after timeout and no response
Guest VLAN
Allow WLAN access instead of wired
WLAN is a great way to do guest access if available
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 31
802.1X with Guest VLAN
Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)
A device is only deployed into the guest VLAN based on the lack of response to the -Request-Identity frames (which can be thought of as 802.1X hellos)
No further security or authentication to be applied. -configured 802.1X (i.e. multi-host), and hard-set the port into the specified VLAN
90 Seconds is greater than MSFT DHCP timeout
Client
802.1X
Process
EAP-Identity-Request
D = 01.80.c2.00.00.03 2 30-seconds
X
EAP-Identity-Request
D = 01.80.c2.00.00.03Upon link up
X 1
EAP-Success
D = 01.80.c2.00.00.03 30-seconds4
Port Deployed
into the Guest
VLAN3EAP-Identity-Request
D = 01.80.c2.00.00.0330-seconds
X
authentication event no - response action authorize vlan 50
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 32
MAC Authentication Bypass (MAB)Client Dot1x/MAB
00.0a.95.7f.de.06
EAPOL-Request (Identity)
D = 01.80.c2.00.00.031 Upon link up
XX
EAPOL-Request (Identity)
D = 01.80.c2.00.00.032 30-seconds
EAPOL-Request (Identity)
D = 01.80.c2.00.00.03 3 30-secondsX EAPOL-TimeoutInitiate MAB 4 30-seconds?
Learn MAC 5 Variable
?
RADIUS
6RADIUS-Access
Request
7RADIUS-Access
Accept
Port Enabled8
interface GigabitEthernet 1/1
mab
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 33
MAB Limitations & Challenges
MAB requires creating and maintaining MAC database
Default 802.1X timeout = 90 seconds
90 sec > default MSFT DHCP timeout
90 sec > default PXE timeout
Current Workaround: Timer tuning (always requires testing)
max-reauth-req: maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire
tx-period: number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting
802.1X Timeout == (max-reauth-req + 1) * tx-period
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 35
NAC ProfilerQuery MAC Database After Deploying 802.1X
NAC ProfilerServer
ACS
RADIUS-Access Request: 00-18-f8-09-cf-d7 1
LD
AP
: 0
0-18-
f8-0
9-cf-d
7
2
LD
AP
Su
cce
ss
3
RADIUS-Access Accept4
1) 802.1X times out, switch initiates MAB
2) ACS queries Profiler Database using LDAP
3) Profiler validates MAC address
4) ACS sends MAB success
5) Switch enables port (with optional authorization)
interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31authentication port-control automab
00-18-f8-09-cf-d7 Port Enabled5
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 36
Microsoft AD as MAB Database (DB)
Can be used as a MAB DB using an user object. The username and password will be the mac address of the device.
Many useless objects
May conflict with complex password policy
Can create a lightweight AD instance for this purpose that can be referred to via LDAP
Can use the ieee802Device object class for the MAB data base.
Reduces object count
No conflict with complex password policy
Windows Server 2003 RC2 and Windows Server 2008
For YourReference
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 37
Web-Based Proxy Authentication
Client Initiates Connection Activates Port Authentication State Machine 2
Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP
3
Switch Port Relays DHCP Address from DHCP Server4
User Starts Web Browser and Initiates Web Connection
5
User Enters Credentials They Are Checked Against RADIUS DB via PAP If
Authenticated Then Switch Port Opened for Normal Network Access7
Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd6
802.1X Process RADIUS ProcessNo EAPOL
802.1X Timeouts 1
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 41
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 42
802.1X Client Without Valid CredentialAuthentication Failures
*EAPOL-Start1
2
RADIUS-Access-Request
* Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent on method.
X
EAP-Data-Request
3
Port is never granting access
EAP-Identity-Exchange
RADIUS-Access-Request4
5
RADIUS-Reject6
EAPOL-Failure7
Supplicant(Client)
Authenticator(Switch)
Authentication Server
(AAA/ACS)
802.1X RADIUS
EAP
This works great in preventing rogue access to a network!
This is a primary reason Enterprises look to deploy 802.1X/Identity Networking!
This is also the problem! (How should we provide access to devices that fail?)
SSC
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 44
Why Provide Access to Devices that Fail?
As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default.
Many enterprises require guests and failed corporate assets get conditional access to the network.
Re-provision credentials through a web proxy or VPN Tunnel
Provide guest access through VLAN assignment or web proxy
802.1XCertificate Expired!
802.1X
User Unknown!
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 45
Failed Auth: Solution 1Auth-Fail-VLAN
EAP-Data-Request
Port is now granted access
RADIUS-Reject
EAPOL-Failure
802.1X RADIUS
RADIUS-Access-RequestEAP-Identity-Exchange
RADIUS-Access-Request
RADIUS-Reject
EAPOL-Success
On the third consecutive failure, the port is enabled and an EAPOL-Success is transmitted
Supplicant(Client)
Authenticator(Switch)
Authentication Server
(AAA/ACS)
SSC
interface GigabitE 3/13
authentication port - control auto
authentication event fail action authorize vlan 51
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 46
802.1X with Auth-Fail VLANDeployment Considerations
1. Supplicant cannot exit the Auth-Fail VLAN
Only alternatives: switch-initiated re-authentication or port bounce
2. No Secondary Authentication Mechanism.
3. Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization -> centralized policy on AAA server is not enforced
4. Switch and AAA server have conflicting views of network
Auth-fail VLAN
Access Granted Access Denied
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 47
Failed Auth: Solution 2Flex-auth: Next-method
EAP-Request
Port is now granted access based on MAB authorization
802.1X RADIUS
RADIUS-Access-Request: EAPEAP-Identity-Response
RADIUS-Access-Response
RADIUS-Reject
Learn MAC
On 802.1X failure, the port continues to the next authentication method (MAB)
Supplicant(Client)
Authenticator(Switch)
Authentication Server
(AAA/ACS)
SSC
interface GigabitE 3/13
authentication port - control auto
authentication order dot1x mab
mab
authentication event fail action next - method
RADIUS-Access-Request: MAC
RADIUS-Access-Accept
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 48
802.1X with Next-Method MABDeployment Considerations
MAC Database required
Policy decision: should 802.1X-capable devices get same access level if they authenticate via MAB after failing 802.1X?
MAB-Assigned VLAN
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 49
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 50
The Problem RADIUS Unavailable
1
RADIUS-Access-Request
X
2
Port is not
granting access
EAP-Identity-Exchange
EAPOL-Failure
3
Client Switch RADIUS
XRADIUS-Access-RequestRADIUS-Access-Request
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 51
IOS
dot1x critical recovery delay 100
radius - server host x.x.x.x test username [username]
radius - server dead - criteria 15 tries 3
Interface GigabitEthernet 1/0/1
dot1x critical
authentication event server dead action authorize vlan 100
authentication event server alive action reinitialize
Inaccessible Authentication Bypass
EAP-Auth Exchange
EAP-Identity-Request
EAP-Success/Failure
EAP-Identity-Response
Auth Exchange w/AAA Server
Authentication Successful/Rejected
Port authorized
EAP-Success/Failure
RADIUS Server comes back -> immediate reinitialize
802.1X State Machine
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 52
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 53
Flexible Authentication Sequencing(Flex-Auth)
Flex-
Configurable behavior after 802.1X failure
authentication event failure action authorize vlan X
authentication event failure action next-method
Configurable behavior after 802.1X timeout
authentication event no-response action authorize vlan Y
Configurable behavior before & after AAA server dies
authentication event server dead action authorize vlan Z
authentication event server alive action reinitialize
Two more features complete Flex-Auth:
authentication order
authentication priority
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 54
Flex-Auth Sequencing
By default, the switch attempts
most secure auth method
first.
802.1X Timeout
802.1X
MAB
MAB fails
Guest VLAN
Timeout can mean
significant delay before
MAB.
MAB fails
MAB
802.1X
802.1X Timeout
Guest VLAN
Alternative order does
MAB on first packet from
device
Default Order: 802.1X First Flex-Auth Order: MAB First
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 55
Flex-Auth Order with Flex-Auth Priority
Priority determines which method can preempt other methods.
By default, method sequence determines priority (first method has highest priority).
If MAB has priority, EAPoL-Starts will be ignored if MAB passes.
Default Priority: 802.1X ignored after successful MAB
MAB fails
MAB
802.1X
EAPoL-Start ReceivedM
AB
p
asses
Port Authorized
by MAB
Flex-Auth Priority: 802.1X starts despite successful MAB
802.1X
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 56
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 57
802.1X & IPT: A Special Case
Voice Ports
With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X
An access port able to handle two VLANs
Native or Port VLAN Identifier (PVID) / Authenticated by 802.1X
Auxiliary or Voice VLAN Identifier (VVID
Hardware set to dot1q trunk
Tagged 802.1q
Untagged 802.3
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 60
802.1X and Voice: Multi-Domain Authentication (MDA)
MDA replaces CDP Bypass
Supports Cisco & 3rd Party Phones
Phones and PCs use 802.1X or MAB
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Data
Two Domains Per Port
802.1q
Phone authenticates in Voice Domain,tags traffic in VVID
PC authenticates in Data Domain,untagged traffic in PVID
Single device per port Single device per domainper port
3K: 12.2(35)SEE
4K: 12.2(37)SG
6K: 12.2(33)SXI
IEEE 802.1X MDA
Voice
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 61
1) Phone learns VVID from CDP (Cisco phone)
2) 802.1X times out
3) Switch initiates MAB
4) ACS returns Access-Accept with Phone VSA.
5) Phone traffic allowed on either VLAN until it sends tagged packet, then only
voice VLAN
6) (Asynchronous) PC authenticates using 802.1X or MAB
PC traffic allowed on data VLAN only
1
23 Access-Request: Phone MAC
Access-Accept: Phone VSA
CDP
EAP
interface GigE 1/0/5
authentication host - mode multi - domain
authentication port - control auto
dot1x pae authenticator
mab
4EAP
5
No Supplicant on Phone
SSC
6
MDA for Any IP Phone
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 62
MDA in Action
Either 802.1X or MAB for phone
Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC
ID - 6500a#sho authentication session int g 7/1Interface: GigabitEthernet7/1
MAC Address: 000f.2322.d9a2IP Address: 10.6.110.2
User - Name: 00 - 0F- 23- 22- D9- A2Status: Authz SuccessDomain: VOICE
Oper host mode: multi - domainOper control dir: both
Posture Token: UnknownAuthorized By: Authentication Server
Session timeout: N/AIdle timeout: N/A
Common Session ID: 0A00645A0000000102124450Acct Session ID: 0x00000007
Handle: 0x1D000001-- snip --
Interface: GigabitEthernet7/1 MAC Address: 000d.60fc.8bf5
IP Address: 10.6.80.2User - Name: host/beta - supp
Status: Authz SuccessDomain: DATA
Oper host mode: multi - domainOper control dir: both
Posture Token: HealthyAuthorized By: Authentication Server
Vlan Policy: 80Session timeout: N/A
Idle timeout: N/ACommon Session ID: 0A00645A000000020213FF9C
Acct Session ID: 0x00000008Handle: 0x6E000002
Runnable methods list:Method Statedot1x Authc Successmab Not run
PC Authenticated
by 802.1X
Phone authenticated
by MAB
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 65
IPT & 802.1X: The Link-State Problem
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3A
B
Port authorized for 0011.2233.4455 only
Security ViolationS:0011.2233.4455
S:6677.8899.AABB
1) Legitimate users cause security violation
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3ASecurity Hole
S:0011.2233.4455
S:0011.2233.4455
2) Hackers can spoof MAC to gain access without authenticating
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 66
EAPol-Logoff
Previous Solution: Proxy EAPoL-Logoff
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3SSC
Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORIZEDAuthentication Method = Dot1x
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATAPort Status = UNAUTHORIZED
A
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
SSC
Domain = DATASupplicant = 6677.8899.AABBPort Status = AUTHORIZEDAuthentication Method = Dot1x
B
Caveats:
Only for 802.1X devices behind
phone
Requires:Logoff-capable Phones
Session cleared immediately by
proxy EAPoL-Logoff
PC-A Unplugs
PC-B Plugs In
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 67
Previous Solution: MAB Inactivity Timeout
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORIZEDAuthentication Method = MAB
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATAPort Status = UNAUTHORIZED
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORIZEDAuthentication Method = MAB
Vulnerable to security violation and/or hole
Device Unplugs
Inactivity Timer Expires
Session cleared. Vulnerability closed.
interface GigE 1/0/5switchport mode accessswitchport access vlan 2switchport voice vlan 12authentication host-mode multi-domainauthentication port-control autoauthentication timer inactivity 300mab
Caveats:Quiet devices may have to re-auth; network access denied until re-auth completes.Still a window of vulnerability.
3K:12.2(35)SE
4K: 12.2(50)SG
6K: 12.2(33)SXI
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 68
NEW Solution: CDP 2nd Port Notification
CDP Link Down
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORIZEDAuthentication Method = MAB
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATAPort Status = UNAUTHORIZED
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
SSC
Domain = DATASupplicant = 6677.8899.AABBPort Status = AUTHORIZEDAuthentication Method = Dot1x
Phone sends link down TLV to switch.
Device A Unplugs
Device B Plugs In
Link status msg addresses root cause
Session cleared immediately.
Works for MAB and 802.1X
Nothing to configure
IP Phone: 8.4(1)
3K: 12.2(50)SE
4K: 12.2(50)SG
6K: 12.2(33)SXI
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 71
Each MAC authenticated
802.1X or MAB
Multiple MACs on Port
interface fastEthernet 3/48
authentication port - control auto
authentication host - mode multi - auth
VMNo VLAN Assignment Supported
Superset of MDA with multiple Data
Devices per port
Modifying Default Security with 802.1XMulti-Auth Mode
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 73
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 74
Authorization
Authorization is the embodiment of the ability to enforce policies on identities
Typically policies are applied using a group methodology allows for easier manageability
The goal is to take the notion of group management and policies into the network
Types of Authorization:
Default: Closed until authenticated.
Dynamic: VLAN assignment, ACL assignment
Local: Guest VLAN, Auth-fail VLAN, Critical Auth VLAN
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 75
Open Mode (No Restrictions)
interface GigabitE 3/13
authentication port - control auto
authentication open
mab
Authentication Performed
No Access Control
Changing the Default Authorization:
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 76
RADIUS accounting logs provide visibility:Passed/Failed 802.1X/EAP attempts
List of valid 802.1X capableList of non-802.1X capable
Passed/Failed MAB attemptsList of Valid MACsList of Invalid or unknown MACs
TO DO Before implementing access control:Confirm that all these should be on networkInstall supplicants on X, Y, Z clientsUpgrade credentials on failed 802.1X clientsUpdate MAC database with failed MABs
Open Access Application 1: Monitor Mode
installing supplicants and credentials, creating MAB database
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 77
Selectively Open Access
Block General Access Until Successful 802.1X, MAB
or WebAuth
Pinhole explicit tcp/udp ports to allow desired
access
interface GigabitE 3/13
authentication port - control auto
authentication open
ip access - group UNAUTH in
Open Mode Application 2: Selectively Open Mode
Open Mode (Pinhole)
On Specific TCP/UDP Ports
Restrict to Specific Addresses
EAP Allowed (Controlled Port)
Download general-access ACL upon authentication
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 78
ANYANY (Before Authentication)
Switch#show tcam interface g1/13 acl in ippermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any
Catalyst 6500802.1X Ethernet Port
Wired EthernetEnd Points
EAPEAP
DHCPDNS
DHCPDNS
PXEPXE
ACS/AAA
DHCPDNS
PXEServer
SampleOpen Mode Configs
Slide Source: Ken Hook
interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31ip access-group UNAUTH inauthentication host-mode multi-domainauthentication openauthentication port-control automab
10.100.10.116
10.100.10.117
ip access-list extended UNAUTHpermit tcp any any establishedpermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftp
(After Authentication)Switch#show tcam interface g1/13 acl in ip
permit ip host 10.100.60.200 anypermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any
IP: 10.100.60.200
Open Mode with Dynamic ACLs
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 79
Dynamic Authorization:VLAN Assignment
Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication
VLANs assigned by name allows for more flexible VLAN management
Tunnel attributes used to send back VLAN configuration information to authenticator
Tunnel attributes are defined by RFC 2868
Usage for VLANs is specified in the 802.1X standard
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 80
802.1X with VLAN Assignment
AV Pairs Used All Are IETF Standard
[64] Tunnel-type
[65] Tunnel-medium-type
[81] Tunnel-private-group-ID
VLAN name must match switch configuration
Mismatch results in authentication failure
Marketing
aaa authorization network default group radius
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 82
URL Redirect
Requires HTTP on the switch
Mainly used for custom notification at this time
Future integration with other Cisco products
Authentication Process RADIUSClient
Web Page
User Initiates Web Connection3
RADIUS authorizes port with URL redirect2
802.1X/MAC Authentication 1
Switch Port Redirects to Web Page
4
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 83
Authorization Recommendations
All Authorization (VLAN, dACL, etc.) is completely optional
Only use it if you have to separate users due to a business requirement
Most enterprises do not have this requirement for known users
Leave the port in its default VLAN or assign the VLAN during machine authentication if possible
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 84
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 85
802.1X Authentication Database
Where is the single source of authentication credentials for the enterprise?
Do you have to build new or extend trust between databases?
Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases
EAP Method may have requirements of the Authentication Database. For example, if MS-CHAPv2 is required for password authentication.
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 86
Supplicant Considerations
Microsoft Windows
User and machine authentication
DHCP request time out
Machine authentication restriction
Default methods: MD5, PEAP, EAP-TLS
Unix/Linux considerations
Open source: xsupplicant Project (University of Utah)
Available from http://www.open1x.org
Supports EAP-MD5, EAP-TLS,
PEAP/MSCHAPv2, PEAP/EAP-GTC
Native Apple supplicant support in OS X 10.3
802.1X is turned off by default!
Default parameters TTLS, LEAP, PEAP, MD5, FAST supported
Support for airport and wired interfaces
In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both at the same time
http://www.open1x.org/2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 87
Features
Robust Profile Management
Support for industry standards
Endpoint integrity
Single sign-on capable
Enabling of group policies
Administrative control
Benefits
Simple, secure device connectivity
Minimizes chances of network
compromise from infected devices
Reduces complexity
Restricts unauthorized network access
Centralized provisioning
Secure Services Client
Cisco Secure Services Client (SSC)
Introduces features over and above the native supplicants
EAP types
PEAP, TLS, FAST, etc.
Management Interfaces
Automatic VPN initiation
Windows XP, 2003, Vista
SSC
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 88
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 89
Windows Boot Cycle Overview
Power On
Kernel LoadingWindows HAL LoadingDevice Driver Loading
Obtain Network Address(Static, DHCP)
Determine Site and DC(DNS, LDAP)
Establish SecureChannel to AD
(LDAP, SMB)
Kerberos Authentication(Machine Account)
Computer GPOs Loading (Async)
GPO based StartupScript Execution
Certificate Auto EnrollmentTime SynchronizationDynamic DNS Update
GINA
Components that depend on network connectivity
Kerberos Auth(User Account)
User GPOs Loading(Async)
GPO based LogonScript Execution (SMB)
Inherent Assumption of Network Connectivity
Earliest Network Connectivity with User Auth Only
X X X X X X X
Components broken with 802.1X user authentication
only
X
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 90
Problem 1: Microsoft Issues with DHCP
DHCP Is a Parallel Event, Independent of 802.1X Authentication
With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no media-connect signal)
DHCP starts once interface comes up
If 802.1X authentication takes too long, DHCP may time out
Power Up Load NDIS Drivers
DHCPSetup Secure
Channel to DC
Present GINA (Ctrl-Alt-Del) Login
DHCP Timeout at 62 Seconds
802.1X Auth Variable Timeout
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 91
Problem 2: Machine GPOs Broken
What Is a Group Policy?
Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment
Types of Group Policy
Registry-based policy
Security options
Software installation and maintenance options
Scripts options
Folder redirection options
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 92
The Solution: Machine Authentication
What is machine authentication?
The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session
What is it used for?
Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies
Why do we care?
Pre-802.1X this worked under the assumption that network connectivity was a given; post-802.1X the blocking of network access prior to 802.1X authentication breaks DHCP & machine-based group policy modelUNLESS the machine can authenticate using its own identity in 802.1X
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 95
802.1X VLAN AssignmentProblem 1: DHCP Renewal
When using dynamic VLAN assignment with user & machine
IP address may need to change also
Supplicant behavior has been addressed by Microsoft
Windows XP: install service pack 1a + KB 826942
Windows 2000: install service pack 4
Needed for VLAN assignment with Wireless Zero Config
Updated supplicants trigger DHCP IP address renewal
Successful authentication causes client to ping default gateway (three times) with a sub-second timeout
Lack of echo reply will trigger a DHCP IP renew
Successful echo reply will leave IP as is
Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 96
DHCP and 802.1X Windows XP: Install Service Pack 1a + KB 826942Windows 2000: Install Service Pack 4
At This Point, DHCP Proceeds Normally
Forward Credentials to ACS Server
Accept
Authentication Server
AuthenticatorSupplicant
Login Req.
Send Credentials
ICMP Echo (x3) for Default GW as Soon as
EAP-Success Frame Is Rcvd
DHCP-Request (D=255.255.255.255)(After Pings Have Gone Unanswered)
DHCP-Discover (D=255.255.255.255)
Auth Successful (EAP Success)
VLAN Assignment
DHCP-NAK (Wrong Subnet)
For YourReference
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 97
Machine VLAN
VLAN Assignment
Power On
Kernel LoadingWindows HAL LoadingDevice Driver Loading
Obtain Network Address(Static, DHCP)
Determine Site and DC(DNS, LDAP)
Establish SecureChannel to AD(LDAP, SMB)
Kerberos Authentication(Machine Account)
Computer GPOs Loading (Async)
GPO based StartupScript Execution
Certificate Auto EnrollmentTime SynchronizationDynamic DNS Update
Kerberos Auth(User Account)
User GPOs Loading(Async)
802.1X Machine Auth
GINA
802.1X User Auth
Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth
GPO based LogonScript Execution (SMB)
GINA
User VLAN
X X X
Fast Logon OptimizationX X X
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 98
Problem 3 : VLAN Assignment and GPOs
Power On
Kernel LoadingWindows HAL LoadingDevice Driver Loading
Obtain Network Address(Static, DHCP)
Determine Site and DC(DNS, LDAP)
Establish SecureChannel to AD
(LDAP, SMB)
Kerberos Authentication(Machine Account)
Computer GPOs Loading (Async)
GPO based StartupScript Execution
Certificate Auto EnrollmentTime SynchronizationDynamic DNS Update
Kerberos Auth(User Account)
User GPOs Loading(Async)
802.1X Machine Auth
GINA
802.1X User Auth
Start of 802.1X auth may vary among supplicants
Components that are in race condition with 802.1X Auth
GPO based LogonScript Execution (SMB)
VLAN1 10.1.1.1
VLAN2 99.1.1.1
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 99
Vista SP1/Windows 2008 and XP SP3
If the supplicants fail 802.1X authentication once the supplicant goes down for twenty minutes before it tries again
Vista SP1/Windows 2008 - KB957931 http://support.microsoft.com/kb/957931
XP SP3 KB coming soon
http://support.microsoft.com/kb/9579312009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 100
802.1X and Windows Recommendations
Machine Authentication is mandatory for managed environments
Consider machine authentication only
Manage auth behavior on XP SP2/2000 via registry keys
http://support.microsoft.com/kb/309448/en-us
http://www.microsoft.com/technet/network/wifi/wififaq.mspx
Manage XP SP3/Vista Supplicant through XML
http://support.microsoft.com/kb/929847
Use the automatic provisioning built into AD if possible
Machines are provisioned automatically with a machine password
Can have certificates automatically provisioned via AD GPOs
http://support.microsoft.com/kb/309448/en-ushttp://support.microsoft.com/kb/309448/en-ushttp://support.microsoft.com/kb/309448/en-ushttp://www.microsoft.com/technet/network/wifi/wififaq.mspxhttp://support.microsoft.com/kb/9298472009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 101
VLANs and Windows: Recommendations
When using Dynamic VLANs:
Disable Fast Logon Optimization
Use the same VLAN for machine and user authorization
VLAN assignment requires AD, DHCP server, and network switch changes (planning, routing, trunking, etc.)
Access Control Lists (ACLs) are a policy enforcement alternative to VLANs. Beware of TCAM implications: the number of ACEs on L3 switch is limited.
ACL per port can be assigned by RADIUS server per group.
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 102
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorization
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 103
Remote Desktop
XP: Microsoft Remote Desktop logs off the local user and drops the machine into machine mode which results in a machine auth.
Vista: Leaves the local user logged onto the system, so it does not trigger an 802.1X auth.
If machine authentication and user authentication result in the same VLAN then there are no problems
If machine authentication puts the machine in a different VLAN, then user authentication must be maintained despite Windows logging the user off.
SSC on XP provides the above solution
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 105
interface fastEthernet 3/48authentication port-control auto
ALL traffic except EAPoL is dropped
One Physical Port ->Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)
PXE BIOS
PXE BIOS needs network access
within 60 seconds of link-up to
download bootable OS
Most PXE implementations do not
support 802.1X.
No 802.1X = No network access =
No OS download.
Pre eXecution Boot Environment (PXE) -Default Security Impact
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 106
ClientDot1x/MAB
00.0a.95.7f.de.06
EAPOL-TimeoutInitiate MAB 10-seconds
Learn MAC Variable?
RADIUS
RADIUS-AccessRequest: 00.0a.95.7f.de.06
RADIUS-Access AcceptPort Enabled
interface GigabitE 3/13authentication port-control autodot1x timeout tx-period 10mab
PXE BIOS
* - exact packet sequence will vary
EAPOL-Request (Identity) Upon link upX
X EAPOL-Request (Identity) 10-seconds
EAPOL-Request (Identity) 10-secondsX
DHCP Discover 3 X
DHCP Discover 2 X
DHCP Discover 1 X
DHCP Discover 4
PXE Continues
PXE Solution 1MAC Authentication Bypass (MAB) *
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 107
Selectively Open Access
Open Mode (Pinhole)
On Specific TCP/UDP Ports for PXE
Restrict to Specific Addresses
EAP Allowed (Controlled Port)
Download general-access ACL
upon authentication
Block General Access Until Successful MAB
Pinhole explicit tcp/udp ports to allow desired
access
interface GigabitE 3/13
authentication port - control auto
authentication open
ip access - group UNAUTH in
PXE BIOS
PXE Solution 2:Open Mode with Interface ACL
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 108
Selectively Open Access Outbound
802.1X controls port traffic in
BOTH directions
Use WOL support on switch to
allow outbound (from switch)
traffic to wake up device
Default - Block Outbound Traffic Until Successful 802.1X/MAB
Allow outbound traffic
interface GigabitE 3/13
authentication port - control auto
authentication control - direction in
WOL Capable Device
Wake On LAN (WOL) and 802.1X
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 110
AMT has a supplicant on the NIC
AMT Device is authenticated before PXE
BIOS
PXE can proceed like 802.1X was never
turned enabled
AMT Device is authenticated after device
goes to sleep
Defends IP address of upper layer OS.
No more directed broadcasts for WoL
Magic packets
Looks the same as without 802.1X
Authenticated User: AMT
interface fastEthernet 3/48
authentication port - control auto
dot1x pae authenticator After Authentication
Intel Advanced Management Technology (AMT) - PXE and WoL Solution
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 111
Monitoring and Troubleshooting
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 112
802.1X Monitoring and Trouble Shooting
Major components to 802.1X monitoring
RADIUS accounting
NAD logs
RADIUS logs
NAD CLI
SNMP on NAD
Major components of 802.1X Troubleshooting
Correlated log reports ACS View
Third party log analysis and reporting
SNMP on NAP
NAD CLI
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 113
802.1X with RADIUS Accounting
Supplicant 802.1X Process1 Authenticate
2 Access-Accept
RADIUS Process
2 EAPOL-Success
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 114
802.1X with RADIUS Accounting
Accounting-request packets
Contains one or more AV pairs to report various events and related information to the RADIUS server
Tracking user-level events are used in the same mechanism
Supplicant 802.1X Process1 Authenticate
2 Access-Accept
3 Accounting Request
RADIUS Process
2 EAPOL-Success
4 Accounting Response
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 115
802.1X with RADIUS Accounting
Similar to other accounting and tracking mechanisms that already exist using RADIUS
Can now be done through 802.1X
Increases network session awareness
Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.
Provides a means to map the information of authenticated
IOS
aaa accounting dot1x default start - stop group radius
Identity, Port, MAC, Switch
IP, Port, MAC, Switch
=
Switch + Port = Location
Identity IP
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 116
Troubleshooting: Identify Points of Failure
It is important to understand the failure point in the picture
It is important to understand which issue causes what failures
In most case, description of the issue symptom can be vague or misleading and you must correlate separate pieces of information for problem resolution.
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 117
ACS View 5.0 RADIUS Authentication
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 118
ACS View 5.0 Authentications Details
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 119
Simple Homegrown Tools
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 120
802.1X Port Config
ID - 6500a#sho authentication session interface
gigabitEthernet 7/1
Interface: GigabitEthernet7/1
MAC Address: 000f.2322.d9a2
IP Address: 10.6.110.2
User - Name: 00 - 0F- 23- 22- D9- A2
Status: Authz Success
Domain: VOICE
Oper host mode: multi - domain
Oper control dir: both
Posture Token: Unknown
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A00645A00000007000E37CC
Acct Session ID: 0x00000009
Handle: 0x0E000007
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
----------------------------------------
Interface: GigabitEthernet7/1
MAC Address: 000d.60fc.8bf5
IP Address: 10.6.50.2
User - Name: nac \ darrimil
Status: Authz Success
Domain: DATA
Oper host mode: multi - domain
Oper control dir: both
Posture Token: Healthy
Authorized By: Authentication Server
Vlan Policy: 50
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A00645A0000000D0030B498
Acct Session ID: 0x00000011
Handle: 0x1500000D
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
interface GigabitEthernet7/1
switchport
switchport mode access
switchport voice vlan 110
ip access - group default_acl in
authentication event fail action next - method
authentication host - mode multi - domain
authentication open
authentication priority dot1x mab
authentication port - control auto
authentication violation restrict
mab
snmp trap mac - notification change added
snmp trap mac - notification change removed
dot1x pae authenticator
dot1x timeout tx - period 10
spanning - tree portfast edge
For YourReference
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 121
ACS 5.0
EAP Problem Certificate Trust Issues
One of the most common issues seen in deployment and pilots
ACS 4.2
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 122
802.1X Authorization Failure 1
In case that network authorization is NOT ENABLED on a NAD
ACS Message Type: Authentication Successful
Authentication Failure Reason (AFR): There is no AFR associated with this error since authentication succeeds
User Experience:
aaa authorization network default group radiusFollowing CLI is missing
VLAN assignment succeeds but assigns port to VLAN 0
Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication timer value
Consequently there is no VLAN 0, therefore default port VLAN is used for
address.
Also Reauthentication Timer becomes 0. This means that there will be no reauthentication.
Supplicant might try to re-
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 123
802.1X Authorization Failure 1ID-6500a#debug condition interface GigabitEthernet 7/1 ----------------New feature
ID-6500a#debug auth feature vlan_assign event
Auth Feature vlan_assign events debugging is on
*Dec 15 14:46:58.439: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1
*Dec 15 14:46:59.243: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1
*Dec 15 14:46:59.243: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1
*Dec 15 14:46:59.243: AUTH-FEAT-VLAN-ASSIGN-EVENT (Gi7/1): Successfully assigned VLAN 0
*Dec 15 14:46:59.751: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.60fc.8bf5) on Interface Gi7/1
ID - 6500a#sho authentication sess interface g 7/1
Interface: GigabitEthernet7/1
MAC Address: 000d.60fc.8bf5
IP Address: 10.6.50.2
User - Name: nac \ darrimil
Status: Authz Success
Domain: DATA
Oper host mode: multi - domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A00645A0000000E005DD8A8
Acct Session ID: 0x00000013
Handle: 0xF900000E
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 124
802.1X Authorization Failure 2
In case that invalid Radius attribute is sent via Radius Access-Accept
ACS Message Type: Authen Successful
AFR: There is no AFR associated with this error since authentication succeeds
User Experience:
Radius Access-Accept with invalid Radius Attribute 81 is sent
needs to match the VLAN name that exists on switch. If Integer then it needs match the VLAN ID that exists on switch
Passed Authentication reports authentication is successful
Authorization failure on switch is NEVER reported back to ACS.
*Dec 15 15:03:21.007: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN BadVLAN to 802.1x port GigabitEthernet7/1*Dec 15 15:03:21.911: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 125
802.1X Authorization Failure 3
In case that invalid Radius attribute is sent via Radius Access-Accept
ACS Message Type: Authen Successful
AFR: There is no AFR associated with this error since authentication succeeds
User Experience:
*Aug 26 13:44:29.991: %DOT1X - 5- SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1
*Aug 26 13:44:29.991: %AUTHMGR - 7- RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on
Interface Gi7/1
*Aug 26 13:44:29.991: %EPM - 6- POLICY_REQ: IP=0.0.0.0| MAC=000d.60fc.8bf5|
AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|
EVENT=APPLY
*Aug 26 13:44:29.991: %EPM - 6- AAA: POLICY=xACSACLx - IP - phone - dACL- 48a4f023 |
EVENT=DOWNLOAD- REQUEST
*Aug 26 13:44:30.003: %EPM - 6- AAA: POLICY=xACSACLx - IP - phone - dACL- 48a4f023 |
EVENT=DOWNLOAD- SUCCESS
*Aug 26 13:44:30.003: %EPM - 4- POLICY_APP_FAILURE: IP=0.0.0.0| MAC=000d.60fc.8bf5|
AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|
POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx- IP - phone - dACL- 48a4f023|
RESULT=FAILURE| REASON=Interface ACL not configured
*Aug 26 13:44:30.003: %EPM - 6- IPEVENT: IP=0.0.0.0| MAC=000d.60fc.8bf5|
AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|
EVENT=IP- WAIT
*Aug 26 13:44:30.031: %AUTHMGR - 5- FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1
For the Downloadable ACL feature is used there must be a interface ACL applied to the interface.
Passed Authentication reports authentication is successful
Authorization failure on switch is NEVER reported back to ACS.
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 126
Looking Forward
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 127
Overview of Cisco TrustSec
Cisco TrustSec (CTS) affects multiple areas of the network and comprises of improvements in the following areas:
Confidentiality & Integrity
Centralized Role Based Access Control (RBAC) Policy Administration
1
2
3 Identification, Authentication and Authorization for all networked entities, and classification into topology independent security groups
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 130
SGACL Enforcement (1)
RBACLs
Source Destination
4 S1+S2
7 S1
9 S2
User 1 has access to both servers
User 1
User 2
User 3
SGACL
7
9
4
SGACL
Cisco ACS ExternalDirectory Server
Server 1
Server 2
2
1
1. Security Group Tag is applied on ingress switch port
2. Roles/Attribute-based ACL policies is applied on security group
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 131
SGACL Enforcement (2)
User 1 has access to both servers
User 2 has access to Server 1
RBACLs
SGT DGT
4 S1+S2
7 S1
9 S2
User 1
User 2
User 3
SGACL
SGACL
7
9
4 1
Cisco ACS ExternalDirectory Server
Server 1
Server 2
2
1. Security Group Tag is applied on ingress switch port
2. Roles/Attribute-based ACL policies is applied on security group
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 132
SGACL Enforcement (3)
RBACLs
SGT DGT
4 S1+S2
7 S1
9 S2
User 1
User 2
User 3
4
SGACL
7
9SGACL
Cisco ACS ExternalDirectory Server
Server 1
Server 2
User 1 has access to both servers
User 2 has access to Server 1
User 3 access to Server 1 denied
1
2
Access Denied to User 3
1. Security Group Tag is applied on ingress switch port
2. Role-based ACL policies is applied on security group tags
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 133
Customer Case Study
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 134
802.1X Deployment Case Study 1
Retailer required to only allow their assets to connect to the network due to lack of physical security
Selected 802.1X as the technical solution after evaluation
Primarily an MSFT desktop and server environment; small group of MAC OSX for designers
Approximately 14,000 ports at home office and remote stores
Cisco IP Telephony environment
Pervasive Wireless environment
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 135
802.1X Deployment Case Study 1 (Cont)
Selected Machine Authentication only for wired and wireless
Leveraged the automatic provisioning of machine certificates in Active Directory to provision the machine credentials (automatic user certificates also possible)
Manually provisioned non AD devices if possible
Failed authentication VLAN and unknown MAC addresses
VLAN at remote sites
No guest WLAN access
IAB used for AAA failures for remote office survivability
Multiple Supplicants; try to leverage native OS supplicant if possible
2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 136
802.1X Deployment Case Study 1 (Cont)
Lab Work
IP Telephony handled by CDP exceptions
PXE tested and handled via MAB
No Wake On LAN
Decided to handle credential re-provisioning via SSL VPN account triggered via help desk ticket
Bought 3rd party tool to build MAC address database
Extended SIM for reporting
Decided on access layer only deployment since data center had physical security