Deploying Wired 802.1X

2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1

Deploying Wired 802.1X

BRKSEC-2005

2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-2005 2

Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions

Please remember this is a 'non-smoking' venue!

Please switch off your mobile phones

Please make use of the recycling bins provided

Please remember to wear your badge at all times including the Party


Session Objective

Understand base 802.1X concepts

Learn the benefits of deploying 802.1X

Learn how to configure and deploy 802.1X

Learn lessons on how to make it work when you get back to your lab


Agenda

802.1X and Wired Access

Default Functionality

Deployment Considerations

Reporting and Monitoring

Looking Forward

Deployment Case Study


AAA authentication on routers

IPSec authentication

In-depth concepts on identity management and single sign-on (upper layer identity)

Specific Extensible Authentication Protocol (EAP) methods in depth

X.509 certificates and PKI

Wireless LAN 802.1X

Switch Features that are not consistent across platforms

CatOS


802.1X and Wired Access


Who are you?

802.1X (or supplementary method) authenticates the user

Why is 802.1X Important in the Campus

1

What service level to you receive?

The user can be given per-user services (ACLs today, more to come)

3

What are you doing?

be used for tracking and accounting

4

Where can you go?

Based on authentication, user is placed in correct VLAN

2

Keep the Outsiders Out

Keep the Insiders Honest

Personalize the Network

Increase Network Visibility


Basic Identity Concepts

What is an identity?

an assertion of who we are.

allows us to differentiate between one another

What does it look like?

Typical Network Identities include

Username / Password

Email: [email protected]

MAC Address: 00-0c-14-a4-9d-33

IP Address: 10.0.1.199

Digital Certificates

How do we use identities?

Used to grant appropriate authorizations rights to services within a given domain
mailto:[email protected]


What Is Authentication? Authorization?

Authentication is the process of establishing and confirming the identity of a client requesting services

Authentication is only useful if used to establish corresponding authorization (e.g. access to a bank account)

200.00 Euros Please.

Do You Have Identification?

Yes, I Do. Here It Is.

An Authentication System Is Only as Strongas the Method of Verification Used


Identity and Authentication Are Important?


Identity-EnabledNetworking

Applying the Authentication Model to the Network

Identification required

Here is my identification

Identification verified, access granted!


Default Functionality


IEEE 802.1X

Standard set by the IEEE 802.1 working group

Is a framework designed to address and provide port-basedaccess control using authentication

802.1X is primarily an encapsulation definition for EAP over IEEE 802 media EAPOL (EAP over LAN) is the key protocol

Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point)

Assumes a secure connection

Actual enforcement is via MAC-based filtering and port-state monitoring


802.1X Port Access Control Model

Request for Service(Connectivity)

Backend AuthenticationSupport

Identity StoreIntegration

Authenticator

Switch

Router

WLAN AP

Identity Store/Management

MS Active Directory

LDAP

NDS

ODBC

Authentication Server

IAS / NPS

ACS

Any IETF RADIUS server

Supplicant

Desktop/laptop

IP phone

WLAN AP

Switch

SSC

Layer 2

Layer 3


802.1X Protocols

EAP RADIUS Store-Dependent

SSC

Layer 2Layer 3

EAP over LAN

(EAPoL)

EAP over WLAN

(EAPoW)

SupplicantAuthenticator



802.1X - Extensible Authentication Protocol (EAP)

Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges

EAP provides a flexible link layer security framework

Simple encapsulation protocol

No dependency on IP

Few link layer assumptions

Can run over any link layer (PPP, 802, etc.)

Assumes no reordering

Can run over loss full or lossless media

Defined by RFC 3748


802.1X - RADIUS

RADIUS acts as the transport for EAP from the authenticator to the authentication server

RFC for how RADIUS should support EAP between authenticator and

authentication server RFC 3579

RADIUS is also used to carry policy instructions (authorization) back to the authenticator in the form of AV pairs

Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580

AV Pairs : Attribute-Values Pairs.

RADIUS Header EAP PayloadUDP HeaderIP Header

RADIUS Header EAP PayloadUDP HeaderIP Header AV Pairs


A Closer Look: IOS Switch Configuration

Port Unauthorized

aaa new - model

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius - server host 10.100.100.100

radius - server key cisco123

dot1x system - auth - control

interface GigabitEthernet1/0/1

authentication port - control auto

dot1x pae authenticator

Cisco IOS

SSC

802.1X


A Closer Look:

Actual authentication is between client and

auth server using EAP. The switch is an EAP conduit, but aware of

802.1X RADIUS

EAP Method Dependent

Port Unauthorized

Port Authorized

EAPOL-Logoff

EAP-Auth Exchange Auth Exchange w/AAA Server

Auth Success & Policy Instructions

EAP-Success

EAP-Identity-Request

EAPOL-Start

EAP-Identity-Response

SSC

802.1X

Port Unauthorized


No visibility (yet)

Strict Access Control

interface fastEthernet 3/48


ALL traffic except EAPoL is dropped

One Physical Port ->Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)

Before Authentication

?

USER

Default Security with 802.1X


User/Device is Known

Identity-based Access Control

Single MAC per port

Looks the same as without 802.1X

Authenticated User: Sally




Default authorization is on or off. Dynamic VLANs or ACLs can be used to customize the user experience.

?

After Authentication

Default Security with 802.1X


Default 802.1x Challenge

Devices without supplicants

No EAPoL = No Access

Offline

No EAPoL / No Access




Default Security: Consequences



Assumed to Be Malicious

Hubs, Gratuitous ARPs, VMWare

VM



dot1x pae authenticator Multiple MACs on Port

Default Security: More Consequences


Deployment Considerations


802.1X Deployment Considerations

Non-802.1X Clients & Guests

Failed Access Handling

RADIUS Availability

Flexible Authentication Sequencing

Multiple Devices Per Port

Authorization

Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations


Handling Non-802.1X Clients & Guests

Authenticate via less-secure method

MAC Authentication Bypass (MAB)

Web Auth (client must have browser)

Give them limited access after timeout and no response

Guest VLAN

Allow WLAN access instead of wired

WLAN is a great way to do guest access if available


802.1X with Guest VLAN

Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not)

A device is only deployed into the guest VLAN based on the lack of response to the -Request-Identity frames (which can be thought of as 802.1X hellos)

No further security or authentication to be applied. -configured 802.1X (i.e. multi-host), and hard-set the port into the specified VLAN

90 Seconds is greater than MSFT DHCP timeout

Client

802.1X

Process


D = 01.80.c2.00.00.03 2 30-seconds

X


D = 01.80.c2.00.00.03Upon link up

X 1

EAP-Success

D = 01.80.c2.00.00.03 30-seconds4

Port Deployed

into the Guest

VLAN3EAP-Identity-Request

D = 01.80.c2.00.00.0330-seconds

X

authentication event no - response action authorize vlan 50


MAC Authentication Bypass (MAB)Client Dot1x/MAB

00.0a.95.7f.de.06

EAPOL-Request (Identity)

D = 01.80.c2.00.00.031 Upon link up

XX


D = 01.80.c2.00.00.032 30-seconds


D = 01.80.c2.00.00.03 3 30-secondsX EAPOL-TimeoutInitiate MAB 4 30-seconds?

Learn MAC 5 Variable

?

RADIUS

6RADIUS-Access

Request

7RADIUS-Access

Accept

Port Enabled8

interface GigabitEthernet 1/1

mab


MAB Limitations & Challenges

MAB requires creating and maintaining MAC database

Default 802.1X timeout = 90 seconds

90 sec > default MSFT DHCP timeout

90 sec > default PXE timeout

Current Workaround: Timer tuning (always requires testing)

max-reauth-req: maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire

tx-period: number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting

802.1X Timeout == (max-reauth-req + 1) * tx-period


NAC ProfilerQuery MAC Database After Deploying 802.1X

NAC ProfilerServer

ACS

RADIUS-Access Request: 00-18-f8-09-cf-d7 1

LD

AP

: 0

0-18-

f8-0

9-cf-d

7

2

LD

AP

Su

cce

ss

3

RADIUS-Access Accept4

1) 802.1X times out, switch initiates MAB

2) ACS queries Profiler Database using LDAP

3) Profiler validates MAC address

4) ACS sends MAB success

5) Switch enables port (with optional authorization)

interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31authentication port-control automab

00-18-f8-09-cf-d7 Port Enabled5


Microsoft AD as MAB Database (DB)

Can be used as a MAB DB using an user object. The username and password will be the mac address of the device.

Many useless objects

May conflict with complex password policy

Can create a lightweight AD instance for this purpose that can be referred to via LDAP

Can use the ieee802Device object class for the MAB data base.

Reduces object count

No conflict with complex password policy

Windows Server 2003 RC2 and Windows Server 2008

For YourReference


Web-Based Proxy Authentication

Client Initiates Connection Activates Port Authentication State Machine 2

Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP

3

Switch Port Relays DHCP Address from DHCP Server4

User Starts Web Browser and Initiates Web Connection

5

User Enters Credentials They Are Checked Against RADIUS DB via PAP If

Authenticated Then Switch Port Opened for Normal Network Access7

Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd6

802.1X Process RADIUS ProcessNo EAPOL

802.1X Timeouts 1





RADIUS Availability



Authorization





802.1X Client Without Valid CredentialAuthentication Failures

*EAPOL-Start1

2

RADIUS-Access-Request

* Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent on method.

X

EAP-Data-Request

3

Port is never granting access

EAP-Identity-Exchange

RADIUS-Access-Request4

5

RADIUS-Reject6

EAPOL-Failure7

Supplicant(Client)

Authenticator(Switch)


(AAA/ACS)

802.1X RADIUS

EAP

This works great in preventing rogue access to a network!

This is a primary reason Enterprises look to deploy 802.1X/Identity Networking!

This is also the problem! (How should we provide access to devices that fail?)

SSC


Why Provide Access to Devices that Fail?

As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default.

Many enterprises require guests and failed corporate assets get conditional access to the network.

Re-provision credentials through a web proxy or VPN Tunnel

Provide guest access through VLAN assignment or web proxy

802.1XCertificate Expired!

802.1X

User Unknown!


Failed Auth: Solution 1Auth-Fail-VLAN

EAP-Data-Request

Port is now granted access

RADIUS-Reject

EAPOL-Failure

802.1X RADIUS

RADIUS-Access-RequestEAP-Identity-Exchange


RADIUS-Reject

EAPOL-Success

On the third consecutive failure, the port is enabled and an EAPOL-Success is transmitted

Supplicant(Client)



(AAA/ACS)

SSC

interface GigabitE 3/13


authentication event fail action authorize vlan 51


802.1X with Auth-Fail VLANDeployment Considerations

1. Supplicant cannot exit the Auth-Fail VLAN

Only alternatives: switch-initiated re-authentication or port bounce

2. No Secondary Authentication Mechanism.

3. Auth-Fail VLAN, like Guest VLAN, is a switch-local authorization -> centralized policy on AAA server is not enforced

4. Switch and AAA server have conflicting views of network

Auth-fail VLAN

Access Granted Access Denied


Failed Auth: Solution 2Flex-auth: Next-method

EAP-Request

Port is now granted access based on MAB authorization

802.1X RADIUS

RADIUS-Access-Request: EAPEAP-Identity-Response

RADIUS-Access-Response

RADIUS-Reject

Learn MAC

On 802.1X failure, the port continues to the next authentication method (MAB)

Supplicant(Client)



(AAA/ACS)

SSC



authentication order dot1x mab

mab

authentication event fail action next - method

RADIUS-Access-Request: MAC

RADIUS-Access-Accept


802.1X with Next-Method MABDeployment Considerations

MAC Database required

Policy decision: should 802.1X-capable devices get same access level if they authenticate via MAB after failing 802.1X?

MAB-Assigned VLAN





RADIUS Availability



Authorization





The Problem RADIUS Unavailable

1


X

2

Port is not

granting access

EAP-Identity-Exchange

EAPOL-Failure

3

Client Switch RADIUS

XRADIUS-Access-RequestRADIUS-Access-Request


IOS

dot1x critical recovery delay 100

radius - server host x.x.x.x test username [username]

radius - server dead - criteria 15 tries 3

Interface GigabitEthernet 1/0/1

dot1x critical

authentication event server dead action authorize vlan 100

authentication event server alive action reinitialize

Inaccessible Authentication Bypass

EAP-Auth Exchange


EAP-Success/Failure

EAP-Identity-Response

Auth Exchange w/AAA Server

Authentication Successful/Rejected

Port authorized

EAP-Success/Failure

RADIUS Server comes back -> immediate reinitialize

802.1X State Machine





RADIUS Availability



Authorization





Flexible Authentication Sequencing(Flex-Auth)

Flex-

Configurable behavior after 802.1X failure

authentication event failure action authorize vlan X

authentication event failure action next-method

Configurable behavior after 802.1X timeout

authentication event no-response action authorize vlan Y

Configurable behavior before & after AAA server dies

authentication event server dead action authorize vlan Z

authentication event server alive action reinitialize

Two more features complete Flex-Auth:

authentication order

authentication priority


Flex-Auth Sequencing

By default, the switch attempts

most secure auth method

first.

802.1X Timeout

802.1X

MAB

MAB fails

Guest VLAN

Timeout can mean

significant delay before

MAB.

MAB fails

MAB

802.1X

802.1X Timeout

Guest VLAN

Alternative order does

MAB on first packet from

device

Default Order: 802.1X First Flex-Auth Order: MAB First


Flex-Auth Order with Flex-Auth Priority

Priority determines which method can preempt other methods.

By default, method sequence determines priority (first method has highest priority).

If MAB has priority, EAPoL-Starts will be ignored if MAB passes.

Default Priority: 802.1X ignored after successful MAB

MAB fails

MAB

802.1X

EAPoL-Start ReceivedM

AB

p

asses

Port Authorized

by MAB

Flex-Auth Priority: 802.1X starts despite successful MAB

802.1X





RADIUS Availability



Authorization





802.1X & IPT: A Special Case

Voice Ports

With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X

An access port able to handle two VLANs

Native or Port VLAN Identifier (PVID) / Authenticated by 802.1X

Auxiliary or Voice VLAN Identifier (VVID

Hardware set to dot1q trunk

Tagged 802.1q

Untagged 802.3


802.1X and Voice: Multi-Domain Authentication (MDA)

MDA replaces CDP Bypass

Supports Cisco & 3rd Party Phones

Phones and PCs use 802.1X or MAB

MODE

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Data

Two Domains Per Port

802.1q

Phone authenticates in Voice Domain,tags traffic in VVID

PC authenticates in Data Domain,untagged traffic in PVID

Single device per port Single device per domainper port

3K: 12.2(35)SEE

4K: 12.2(37)SG

6K: 12.2(33)SXI

IEEE 802.1X MDA

Voice


1) Phone learns VVID from CDP (Cisco phone)

2) 802.1X times out

3) Switch initiates MAB

4) ACS returns Access-Accept with Phone VSA.

5) Phone traffic allowed on either VLAN until it sends tagged packet, then only

voice VLAN

6) (Asynchronous) PC authenticates using 802.1X or MAB

PC traffic allowed on data VLAN only

1

23 Access-Request: Phone MAC

Access-Accept: Phone VSA

CDP

EAP

interface GigE 1/0/5

authentication host - mode multi - domain



mab

4EAP

5

No Supplicant on Phone

SSC

6

MDA for Any IP Phone


MDA in Action

Either 802.1X or MAB for phone

Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC

ID - 6500a#sho authentication session int g 7/1Interface: GigabitEthernet7/1

MAC Address: 000f.2322.d9a2IP Address: 10.6.110.2

User - Name: 00 - 0F- 23- 22- D9- A2Status: Authz SuccessDomain: VOICE

Oper host mode: multi - domainOper control dir: both

Posture Token: UnknownAuthorized By: Authentication Server

Session timeout: N/AIdle timeout: N/A

Common Session ID: 0A00645A0000000102124450Acct Session ID: 0x00000007

Handle: 0x1D000001-- snip --

Interface: GigabitEthernet7/1 MAC Address: 000d.60fc.8bf5

IP Address: 10.6.80.2User - Name: host/beta - supp

Status: Authz SuccessDomain: DATA

Oper host mode: multi - domainOper control dir: both

Posture Token: HealthyAuthorized By: Authentication Server

Vlan Policy: 80Session timeout: N/A

Idle timeout: N/ACommon Session ID: 0A00645A000000020213FF9C

Acct Session ID: 0x00000008Handle: 0x6E000002

Runnable methods list:Method Statedot1x Authc Successmab Not run

PC Authenticated

by 802.1X

Phone authenticated

by MAB


IPT & 802.1X: The Link-State Problem

MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3A

B

Port authorized for 0011.2233.4455 only

Security ViolationS:0011.2233.4455

S:6677.8899.AABB

1) Legitimate users cause security violation

MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3ASecurity Hole

S:0011.2233.4455

S:0011.2233.4455

2) Hackers can spoof MAC to gain access without authenticating


EAPol-Logoff

Previous Solution: Proxy EAPoL-Logoff

MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3SSC

Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORIZEDAuthentication Method = Dot1x

MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATAPort Status = UNAUTHORIZED

A

MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

SSC

Domain = DATASupplicant = 6677.8899.AABBPort Status = AUTHORIZEDAuthentication Method = Dot1x

B

Caveats:

Only for 802.1X devices behind

phone

Requires:Logoff-capable Phones

Session cleared immediately by

proxy EAPoL-Logoff

PC-A Unplugs

PC-B Plugs In


Previous Solution: MAB Inactivity Timeout

MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORIZEDAuthentication Method = MAB

MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3


MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3


Vulnerable to security violation and/or hole

Device Unplugs

Inactivity Timer Expires

Session cleared. Vulnerability closed.

interface GigE 1/0/5switchport mode accessswitchport access vlan 2switchport voice vlan 12authentication host-mode multi-domainauthentication port-control autoauthentication timer inactivity 300mab

Caveats:Quiet devices may have to re-auth; network access denied until re-auth completes.Still a window of vulnerability.

3K:12.2(35)SE

4K: 12.2(50)SG

6K: 12.2(33)SXI


NEW Solution: CDP 2nd Port Notification

CDP Link Down

MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3


MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3


MODE


Catalyst 3750SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

SSC

Domain = DATASupplicant = 6677.8899.AABBPort Status = AUTHORIZEDAuthentication Method = Dot1x

Phone sends link down TLV to switch.

Device A Unplugs

Device B Plugs In

Link status msg addresses root cause

Session cleared immediately.

Works for MAB and 802.1X

Nothing to configure

IP Phone: 8.4(1)

3K: 12.2(50)SE

4K: 12.2(50)SG

6K: 12.2(33)SXI


Each MAC authenticated

802.1X or MAB

Multiple MACs on Port



authentication host - mode multi - auth

VMNo VLAN Assignment Supported

Superset of MDA with multiple Data

Devices per port

Modifying Default Security with 802.1XMulti-Auth Mode





RADIUS Availability



Authorization





Authorization

Authorization is the embodiment of the ability to enforce policies on identities

Typically policies are applied using a group methodology allows for easier manageability

The goal is to take the notion of group management and policies into the network

Types of Authorization:

Default: Closed until authenticated.

Dynamic: VLAN assignment, ACL assignment

Local: Guest VLAN, Auth-fail VLAN, Critical Auth VLAN


Open Mode (No Restrictions)



authentication open

mab

Authentication Performed

No Access Control

Changing the Default Authorization:


RADIUS accounting logs provide visibility:Passed/Failed 802.1X/EAP attempts

List of valid 802.1X capableList of non-802.1X capable

Passed/Failed MAB attemptsList of Valid MACsList of Invalid or unknown MACs

TO DO Before implementing access control:Confirm that all these should be on networkInstall supplicants on X, Y, Z clientsUpgrade credentials on failed 802.1X clientsUpdate MAC database with failed MABs

Open Access Application 1: Monitor Mode

installing supplicants and credentials, creating MAB database


Selectively Open Access

Block General Access Until Successful 802.1X, MAB

or WebAuth

Pinhole explicit tcp/udp ports to allow desired

access



authentication open

ip access - group UNAUTH in

Open Mode Application 2: Selectively Open Mode

Open Mode (Pinhole)

On Specific TCP/UDP Ports

Restrict to Specific Addresses

EAP Allowed (Controlled Port)

Download general-access ACL upon authentication


ANYANY (Before Authentication)

Switch#show tcam interface g1/13 acl in ippermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any

Catalyst 6500802.1X Ethernet Port

Wired EthernetEnd Points

EAPEAP

DHCPDNS

DHCPDNS

PXEPXE

ACS/AAA

DHCPDNS

PXEServer

SampleOpen Mode Configs

Slide Source: Ken Hook

interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31ip access-group UNAUTH inauthentication host-mode multi-domainauthentication openauthentication port-control automab

10.100.10.116

10.100.10.117

ip access-list extended UNAUTHpermit tcp any any establishedpermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftp

(After Authentication)Switch#show tcam interface g1/13 acl in ip

permit ip host 10.100.60.200 anypermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any

IP: 10.100.60.200

Open Mode with Dynamic ACLs


Dynamic Authorization:VLAN Assignment

Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication

VLANs assigned by name allows for more flexible VLAN management

Tunnel attributes used to send back VLAN configuration information to authenticator

Tunnel attributes are defined by RFC 2868

Usage for VLANs is specified in the 802.1X standard


802.1X with VLAN Assignment

AV Pairs Used All Are IETF Standard

[64] Tunnel-type

[65] Tunnel-medium-type

[81] Tunnel-private-group-ID

VLAN name must match switch configuration

Mismatch results in authentication failure

Marketing

aaa authorization network default group radius


URL Redirect

Requires HTTP on the switch

Mainly used for custom notification at this time

Future integration with other Cisco products

Authentication Process RADIUSClient

Web Page

User Initiates Web Connection3

RADIUS authorizes port with URL redirect2

802.1X/MAC Authentication 1

Switch Port Redirects to Web Page

4


Authorization Recommendations

All Authorization (VLAN, dACL, etc.) is completely optional

Only use it if you have to separate users due to a business requirement

Most enterprises do not have this requirement for known users

Leave the port in its default VLAN or assign the VLAN during machine authentication if possible





RADIUS Availability



Authorization





802.1X Authentication Database

Where is the single source of authentication credentials for the enterprise?

Do you have to build new or extend trust between databases?

Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases

EAP Method may have requirements of the Authentication Database. For example, if MS-CHAPv2 is required for password authentication.


Supplicant Considerations

Microsoft Windows

User and machine authentication

DHCP request time out

Machine authentication restriction

Default methods: MD5, PEAP, EAP-TLS

Unix/Linux considerations

Open source: xsupplicant Project (University of Utah)

Available from http://www.open1x.org

Supports EAP-MD5, EAP-TLS,

PEAP/MSCHAPv2, PEAP/EAP-GTC

Native Apple supplicant support in OS X 10.3

802.1X is turned off by default!

Default parameters TTLS, LEAP, PEAP, MD5, FAST supported

Support for airport and wired interfaces

In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both at the same time
http://www.open1x.org/


Features

Robust Profile Management

Support for industry standards

Endpoint integrity

Single sign-on capable

Enabling of group policies

Administrative control

Benefits

Simple, secure device connectivity

Minimizes chances of network

compromise from infected devices

Reduces complexity

Restricts unauthorized network access

Centralized provisioning

Secure Services Client

Cisco Secure Services Client (SSC)

Introduces features over and above the native supplicants

EAP types

PEAP, TLS, FAST, etc.

Management Interfaces

Automatic VPN initiation

Windows XP, 2003, Vista

SSC





RADIUS Availability



Authorization





Windows Boot Cycle Overview

Power On

Kernel LoadingWindows HAL LoadingDevice Driver Loading

Obtain Network Address(Static, DHCP)

Determine Site and DC(DNS, LDAP)

Establish SecureChannel to AD

(LDAP, SMB)

Kerberos Authentication(Machine Account)

Computer GPOs Loading (Async)

GPO based StartupScript Execution

Certificate Auto EnrollmentTime SynchronizationDynamic DNS Update

GINA

Components that depend on network connectivity

Kerberos Auth(User Account)

User GPOs Loading(Async)

GPO based LogonScript Execution (SMB)

Inherent Assumption of Network Connectivity

Earliest Network Connectivity with User Auth Only

X X X X X X X

Components broken with 802.1X user authentication

only

X


Problem 1: Microsoft Issues with DHCP

DHCP Is a Parallel Event, Independent of 802.1X Authentication

With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no media-connect signal)

DHCP starts once interface comes up

If 802.1X authentication takes too long, DHCP may time out

Power Up Load NDIS Drivers

DHCPSetup Secure

Channel to DC

Present GINA (Ctrl-Alt-Del) Login

DHCP Timeout at 62 Seconds

802.1X Auth Variable Timeout


Problem 2: Machine GPOs Broken

What Is a Group Policy?

Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment

Types of Group Policy

Registry-based policy

Security options

Software installation and maintenance options

Scripts options

Folder redirection options


The Solution: Machine Authentication

What is machine authentication?

The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session

What is it used for?

Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies

Why do we care?

Pre-802.1X this worked under the assumption that network connectivity was a given; post-802.1X the blocking of network access prior to 802.1X authentication breaks DHCP & machine-based group policy modelUNLESS the machine can authenticate using its own identity in 802.1X


802.1X VLAN AssignmentProblem 1: DHCP Renewal

When using dynamic VLAN assignment with user & machine

IP address may need to change also

Supplicant behavior has been addressed by Microsoft

Windows XP: install service pack 1a + KB 826942

Windows 2000: install service pack 4

Needed for VLAN assignment with Wireless Zero Config

Updated supplicants trigger DHCP IP address renewal

Successful authentication causes client to ping default gateway (three times) with a sub-second timeout

Lack of echo reply will trigger a DHCP IP renew

Successful echo reply will leave IP as is

Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming


DHCP and 802.1X Windows XP: Install Service Pack 1a + KB 826942Windows 2000: Install Service Pack 4

At This Point, DHCP Proceeds Normally

Forward Credentials to ACS Server

Accept


AuthenticatorSupplicant

Login Req.

Send Credentials

ICMP Echo (x3) for Default GW as Soon as

EAP-Success Frame Is Rcvd

DHCP-Request (D=255.255.255.255)(After Pings Have Gone Unanswered)

DHCP-Discover (D=255.255.255.255)

Auth Successful (EAP Success)

VLAN Assignment

DHCP-NAK (Wrong Subnet)

For YourReference


Machine VLAN

VLAN Assignment

Power On




Establish SecureChannel to AD(LDAP, SMB)







802.1X Machine Auth

GINA

802.1X User Auth

Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth


GINA

User VLAN

X X X

Fast Logon OptimizationX X X


Problem 3 : VLAN Assignment and GPOs

Power On




Establish SecureChannel to AD

(LDAP, SMB)







802.1X Machine Auth

GINA

802.1X User Auth

Start of 802.1X auth may vary among supplicants

Components that are in race condition with 802.1X Auth


VLAN1 10.1.1.1

VLAN2 99.1.1.1


Vista SP1/Windows 2008 and XP SP3

If the supplicants fail 802.1X authentication once the supplicant goes down for twenty minutes before it tries again

Vista SP1/Windows 2008 - KB957931 http://support.microsoft.com/kb/957931

XP SP3 KB coming soon
http://support.microsoft.com/kb/957931


802.1X and Windows Recommendations

Machine Authentication is mandatory for managed environments

Consider machine authentication only

Manage auth behavior on XP SP2/2000 via registry keys

http://support.microsoft.com/kb/309448/en-us

http://www.microsoft.com/technet/network/wifi/wififaq.mspx

Manage XP SP3/Vista Supplicant through XML

http://support.microsoft.com/kb/929847

Use the automatic provisioning built into AD if possible

Machines are provisioned automatically with a machine password

Can have certificates automatically provisioned via AD GPOs
http://support.microsoft.com/kb/309448/en-ushttp://support.microsoft.com/kb/309448/en-ushttp://support.microsoft.com/kb/309448/en-ushttp://www.microsoft.com/technet/network/wifi/wififaq.mspxhttp://support.microsoft.com/kb/929847


VLANs and Windows: Recommendations

When using Dynamic VLANs:

Disable Fast Logon Optimization

Use the same VLAN for machine and user authorization

VLAN assignment requires AD, DHCP server, and network switch changes (planning, routing, trunking, etc.)

Access Control Lists (ACLs) are a policy enforcement alternative to VLANs. Beware of TCAM implications: the number of ACEs on L3 switch is limited.

ACL per port can be assigned by RADIUS server per group.





RADIUS Availability



Authorization





Remote Desktop

XP: Microsoft Remote Desktop logs off the local user and drops the machine into machine mode which results in a machine auth.

Vista: Leaves the local user logged onto the system, so it does not trigger an 802.1X auth.

If machine authentication and user authentication result in the same VLAN then there are no problems

If machine authentication puts the machine in a different VLAN, then user authentication must be maintained despite Windows logging the user off.

SSC on XP provides the above solution


interface fastEthernet 3/48authentication port-control auto

ALL traffic except EAPoL is dropped


PXE BIOS

PXE BIOS needs network access

within 60 seconds of link-up to

download bootable OS

Most PXE implementations do not

support 802.1X.

No 802.1X = No network access =

No OS download.

Pre eXecution Boot Environment (PXE) -Default Security Impact


ClientDot1x/MAB

00.0a.95.7f.de.06

EAPOL-TimeoutInitiate MAB 10-seconds

Learn MAC Variable?

RADIUS

RADIUS-AccessRequest: 00.0a.95.7f.de.06

RADIUS-Access AcceptPort Enabled

interface GigabitE 3/13authentication port-control autodot1x timeout tx-period 10mab

PXE BIOS

* - exact packet sequence will vary

EAPOL-Request (Identity) Upon link upX

X EAPOL-Request (Identity) 10-seconds

EAPOL-Request (Identity) 10-secondsX

DHCP Discover 3 X

DHCP Discover 2 X

DHCP Discover 1 X

DHCP Discover 4

PXE Continues

PXE Solution 1MAC Authentication Bypass (MAB) *


Selectively Open Access

Open Mode (Pinhole)

On Specific TCP/UDP Ports for PXE

Restrict to Specific Addresses

EAP Allowed (Controlled Port)

Download general-access ACL

upon authentication

Block General Access Until Successful MAB

Pinhole explicit tcp/udp ports to allow desired

access



authentication open

ip access - group UNAUTH in

PXE BIOS

PXE Solution 2:Open Mode with Interface ACL


Selectively Open Access Outbound

802.1X controls port traffic in

BOTH directions

Use WOL support on switch to

allow outbound (from switch)

traffic to wake up device

Default - Block Outbound Traffic Until Successful 802.1X/MAB

Allow outbound traffic



authentication control - direction in

WOL Capable Device

Wake On LAN (WOL) and 802.1X


AMT has a supplicant on the NIC

AMT Device is authenticated before PXE

BIOS

PXE can proceed like 802.1X was never

turned enabled

AMT Device is authenticated after device

goes to sleep

Defends IP address of upper layer OS.

No more directed broadcasts for WoL

Magic packets

Looks the same as without 802.1X

Authenticated User: AMT



dot1x pae authenticator After Authentication

Intel Advanced Management Technology (AMT) - PXE and WoL Solution


Monitoring and Troubleshooting


802.1X Monitoring and Trouble Shooting

Major components to 802.1X monitoring

RADIUS accounting

NAD logs

RADIUS logs

NAD CLI

SNMP on NAD

Major components of 802.1X Troubleshooting

Correlated log reports ACS View

Third party log analysis and reporting

SNMP on NAP

NAD CLI


802.1X with RADIUS Accounting

Supplicant 802.1X Process1 Authenticate

2 Access-Accept

RADIUS Process

2 EAPOL-Success



Accounting-request packets

Contains one or more AV pairs to report various events and related information to the RADIUS server

Tracking user-level events are used in the same mechanism

Supplicant 802.1X Process1 Authenticate

2 Access-Accept

3 Accounting Request

RADIUS Process

2 EAPOL-Success

4 Accounting Response



Similar to other accounting and tracking mechanisms that already exist using RADIUS

Can now be done through 802.1X

Increases network session awareness

Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.

Provides a means to map the information of authenticated

IOS

aaa accounting dot1x default start - stop group radius

Identity, Port, MAC, Switch

IP, Port, MAC, Switch

=

Switch + Port = Location

Identity IP


Troubleshooting: Identify Points of Failure

It is important to understand the failure point in the picture

It is important to understand which issue causes what failures

In most case, description of the issue symptom can be vague or misleading and you must correlate separate pieces of information for problem resolution.


ACS View 5.0 RADIUS Authentication


ACS View 5.0 Authentications Details


Simple Homegrown Tools


802.1X Port Config

ID - 6500a#sho authentication session interface

gigabitEthernet 7/1

Interface: GigabitEthernet7/1

MAC Address: 000f.2322.d9a2


User - Name: 00 - 0F- 23- 22- D9- A2

Status: Authz Success

Domain: VOICE

Oper host mode: multi - domain

Oper control dir: both

Posture Token: Unknown

Authorized By: Authentication Server

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A00645A00000007000E37CC

Acct Session ID: 0x00000009

Handle: 0x0E000007

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

----------------------------------------


MAC Address: 000d.60fc.8bf5


User - Name: nac \ darrimil


Domain: DATA



Posture Token: Healthy


Vlan Policy: 50


Idle timeout: N/A

Common Session ID: 0A00645A0000000D0030B498


Handle: 0x1500000D

Runnable methods list:

Method State

dot1x Authc Success

mab Not run

interface GigabitEthernet7/1

switchport

switchport mode access

switchport voice vlan 110

ip access - group default_acl in

authentication event fail action next - method

authentication host - mode multi - domain

authentication open

authentication priority dot1x mab


authentication violation restrict

mab

snmp trap mac - notification change added

snmp trap mac - notification change removed


dot1x timeout tx - period 10

spanning - tree portfast edge

For YourReference


ACS 5.0

EAP Problem Certificate Trust Issues

One of the most common issues seen in deployment and pilots

ACS 4.2


802.1X Authorization Failure 1

In case that network authorization is NOT ENABLED on a NAD

ACS Message Type: Authentication Successful

Authentication Failure Reason (AFR): There is no AFR associated with this error since authentication succeeds

User Experience:

aaa authorization network default group radiusFollowing CLI is missing

VLAN assignment succeeds but assigns port to VLAN 0

Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication timer value

Consequently there is no VLAN 0, therefore default port VLAN is used for

address.

Also Reauthentication Timer becomes 0. This means that there will be no reauthentication.

Supplicant might try to re-


802.1X Authorization Failure 1ID-6500a#debug condition interface GigabitEthernet 7/1 ----------------New feature

ID-6500a#debug auth feature vlan_assign event

Auth Feature vlan_assign events debugging is on

*Dec 15 14:46:58.439: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1

*Dec 15 14:46:59.243: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1

*Dec 15 14:46:59.243: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1

*Dec 15 14:46:59.243: AUTH-FEAT-VLAN-ASSIGN-EVENT (Gi7/1): Successfully assigned VLAN 0

*Dec 15 14:46:59.751: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.60fc.8bf5) on Interface Gi7/1

ID - 6500a#sho authentication sess interface g 7/1


MAC Address: 000d.60fc.8bf5


User - Name: nac \ darrimil


Domain: DATA




Vlan Policy: N/A


Idle timeout: N/A

Common Session ID: 0A00645A0000000E005DD8A8


Handle: 0xF900000E



In case that invalid Radius attribute is sent via Radius Access-Accept

ACS Message Type: Authen Successful

AFR: There is no AFR associated with this error since authentication succeeds

User Experience:

Radius Access-Accept with invalid Radius Attribute 81 is sent

needs to match the VLAN name that exists on switch. If Integer then it needs match the VLAN ID that exists on switch

Passed Authentication reports authentication is successful

Authorization failure on switch is NEVER reported back to ACS.

*Dec 15 15:03:21.007: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN BadVLAN to 802.1x port GigabitEthernet7/1*Dec 15 15:03:21.911: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1



In case that invalid Radius attribute is sent via Radius Access-Accept

ACS Message Type: Authen Successful

AFR: There is no AFR associated with this error since authentication succeeds

User Experience:

*Aug 26 13:44:29.991: %DOT1X - 5- SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1

*Aug 26 13:44:29.991: %AUTHMGR - 7- RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on

Interface Gi7/1

*Aug 26 13:44:29.991: %EPM - 6- POLICY_REQ: IP=0.0.0.0| MAC=000d.60fc.8bf5|

AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|

EVENT=APPLY

*Aug 26 13:44:29.991: %EPM - 6- AAA: POLICY=xACSACLx - IP - phone - dACL- 48a4f023 |

EVENT=DOWNLOAD- REQUEST

*Aug 26 13:44:30.003: %EPM - 6- AAA: POLICY=xACSACLx - IP - phone - dACL- 48a4f023 |

EVENT=DOWNLOAD- SUCCESS

*Aug 26 13:44:30.003: %EPM - 4- POLICY_APP_FAILURE: IP=0.0.0.0| MAC=000d.60fc.8bf5|


POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx- IP - phone - dACL- 48a4f023|

RESULT=FAILURE| REASON=Interface ACL not configured

*Aug 26 13:44:30.003: %EPM - 6- IPEVENT: IP=0.0.0.0| MAC=000d.60fc.8bf5|


EVENT=IP- WAIT

*Aug 26 13:44:30.031: %AUTHMGR - 5- FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1

For the Downloadable ACL feature is used there must be a interface ACL applied to the interface.

Passed Authentication reports authentication is successful

Authorization failure on switch is NEVER reported back to ACS.


Looking Forward


Overview of Cisco TrustSec

Cisco TrustSec (CTS) affects multiple areas of the network and comprises of improvements in the following areas:

Confidentiality & Integrity

Centralized Role Based Access Control (RBAC) Policy Administration

1

2

3 Identification, Authentication and Authorization for all networked entities, and classification into topology independent security groups


SGACL Enforcement (1)

RBACLs

Source Destination

4 S1+S2

7 S1

9 S2

User 1 has access to both servers

User 1

User 2

User 3

SGACL

7

9

4

SGACL

Cisco ACS ExternalDirectory Server

Server 1

Server 2

2

1

1. Security Group Tag is applied on ingress switch port

2. Roles/Attribute-based ACL policies is applied on security group




User 2 has access to Server 1

RBACLs

SGT DGT

4 S1+S2

7 S1

9 S2

User 1

User 2

User 3

SGACL

SGACL

7

9

4 1


Server 1

Server 2

2


2. Roles/Attribute-based ACL policies is applied on security group



RBACLs

SGT DGT

4 S1+S2

7 S1

9 S2

User 1

User 2

User 3

4

SGACL

7

9SGACL


Server 1

Server 2


User 2 has access to Server 1

User 3 access to Server 1 denied

1

2

Access Denied to User 3


2. Role-based ACL policies is applied on security group tags


Customer Case Study


802.1X Deployment Case Study 1

Retailer required to only allow their assets to connect to the network due to lack of physical security

Selected 802.1X as the technical solution after evaluation

Primarily an MSFT desktop and server environment; small group of MAC OSX for designers

Approximately 14,000 ports at home office and remote stores

Cisco IP Telephony environment

Pervasive Wireless environment


802.1X Deployment Case Study 1 (Cont)

Selected Machine Authentication only for wired and wireless

Leveraged the automatic provisioning of machine certificates in Active Directory to provision the machine credentials (automatic user certificates also possible)

Manually provisioned non AD devices if possible

Failed authentication VLAN and unknown MAC addresses

VLAN at remote sites

No guest WLAN access

IAB used for AAA failures for remote office survivability

Multiple Supplicants; try to leverage native OS supplicant if possible


802.1X Deployment Case Study 1 (Cont)

Lab Work

IP Telephony handled by CDP exceptions

PXE tested and handled via MAB

No Wake On LAN

Decided to handle credential re-provisioning via SSL VPN account triggered via help desk ticket

Bought 3rd party tool to build MAC address database

Extended SIM for reporting

Decided on access layer only deployment since data center had physical security

Documents

Deploying Wired 802.1X