Holistic view of 802.1x integration & optimization

Holistic view of 802.1x

integration & optimization

High level design, with visual paradigm

Presentation by: Faisal Md Abdur Rahman, BDPEER | [email protected] | www.bdpeer.com Phone: +8801687477308

What we will talk about

Campus network in practice

Security in practice

802.1x, PEAP, EAP-TLS, EAP-FAST explained for campus network

Policy based access control

Network Admission Control (NAC)

Introducing NAC appliance

Secure network design with NAC for LAN & WLAN network

Device profiling, posture check, guest redirection explained

A case study scenario.


We will not talk about

Network design (routing, switching, WAN technologies)

Network Quality of Service for routing & switching

Basic WLAN infrastructure design.

Not going to discus network design models in details.


Campus Area Network (CAN)

Network consists of switch, router, firewall.

Network infrastructure is owned and operated by the organization itself.

CAN is ranged within 1KM to 5KM of area.

Users within the network are free to use network resources once they are within the

campus parameter.


CAN Pros & Cons

Advantages

Easy build and maintenance.

Open to all, personal hand-held device or laptops.

Easy share and storage of resources within network and access from anywhere within the

network.

Network resources stays within network and firewalled from external threat.

Users uses secure login (SSO i.e. Shibbolet) technology to access resources within network.


Disadvantages

Identity can be tempered. Such way unauthorized users with right user credential can

have access to unauthorized resource location resides within the network while the system

knows the resources are accessed by authorized person.

User right within the entire network says same regardless which device the user using or

from which network location the user is coming from.

Transparent to any firewall / IPS / IDS appliance.

Device authorization scope is so limited and not dynamic.

Management is slow and authentication / authorization events are not transparent to

network administrator.


CAN Pros & Cons

Identity loss or unauthorized access (using valid credential) are never

detected if the intruder don’t do any harm to resources.

Authorized users can access network resources using any devices

supports local network based authentication / SSO (i.e. AD,

OpenLDAP, Shibbolet, OTP, RADIUS).

Any devices can access network even if the device is not security

compliant (i.e. Non-updated patch, AV definition, Application)

Guest management is painful. Guest access to the network needs

network administrator extra effort and time for managing new

network.

Device isolation for service is complicated.


CAN Pros & Cons


CAN security in practice


IPS /IDS

PBR

External Threat

prevention

Zone based Firewall

AD, OTP, openLDAP, RSA Token

System hardening

Internal Threat

prevention

DLP, awareness

CAN proposed

network security


Identity Service Engine Core

Network Security

LAN Network

VPN Access

Identity source

External RADIUS

External MDM

Wirelessnetwork

Switched network

AD

Mobility Services

Agent less

Agent based

OTP

Internal CA

WLAN Controller Lite AP

AP

CAN proposed security features

Features

Device profiling

Automatic Manual

BYOD

Device registrationredirection

Dynamic profile

allocation

TLS handshake

Posture check

Posture profiling

Posture object

Dynamic access control

MAB

Policy based

802.1x

Guest redirection

User /device

redirection

Guest mgmt.


Authentication method explained

MAC Authentication Bypass

Method of excluding MAC addresses for 802.1x authentication process when its detected in a 802.1x

enabled port.

802.1x based authentication

Method of forwarding 802.1x request to Identity Source server (AD, openLDAP etc.) through Access

Server.

**NAD devices (Switch, Router, Firewall, virtual network devices) establish communication using pre-

shared key prior to establish 802.1x request to Access server.

Access server collect all authentication requests and forwards accordingly.


Protocols for authentication

RADIUS

PEAP or Protected Extensible Authentication Protocol

EAP-TLS or certificate based authentication.

EAP-FAST to carry both TLS and non-TLS authentication.

Inner methods

MSCHAPv2, MSCHAP, MD5

TLS


802.1x components configuration

802.1x server or Access Server needs to add switches / Wireless controller with pre-shared

key defined.

Switch port 802.1x enablement

Switch /Wireless controller to contact with Access Server using pre-shared key.

Dynamic authorization enablement (if supported by NAD devices).

User PC / Server or VM needs to be 802.1x supplicant (Windows, Linux built-in or third-party

supplicant like CISCO Anyconnect) enabled.

Finally correspondent rules for 802.1x authentication & authorization.


MAB configuration components

Access server configuration for 802.1x exception

Switch port MAB enablement configuration

Open SSIDs in WLAN to be configured for MAB for guest redirection.


Policy based dynamic access

Can be achieved using Microsoft NPS (No posture, device profiling, MDM integration,

BYOD, Needs windows server 2K8 and 2K12 enterprise licensed)

Can be achieved using CISCO ISE. (Licensed product. Needs feature unlock license).

Can be achieved using OpenNAC (open-source, No posture)

Can be achieved using PakcketFence. (open-source, supports almost everything)


Dynamic NAC process


Failover

? Learn MAC

Start IEEE 802.1x

IEEE 802.1x

Fails

Retries

Exceeded

?

MAB

configured

MAB

configured

?

MAB

Pass?

Web-Auth

?

Auth Fail ?

Auth-Fail VLAN

Restart Timer

Restart Time

Expire

Quite Period

Expire

No Access

Web-Auth

Passed

Web-Authorization MAB Authorization

Y

N

N

Y

Y Y

N

N

Y

N

N

Y

Y

Implementation summary

Deploying AD with domain name “bdnog2016.org”. (Optional)

Deploying Certificate server (Microsoft CA, Entrust CA, OpenSSL etc.) (Optional)

Deploying external RADIUS server. (Optional)

Deploying OTP server (Optional)

Deploying Identity Service Solution (ISE, Open-NAC or PacketFence). (mandatory)

Select supported NAD device. Cisco WS-C2960+24PC-L is ideal for this operation. We can

also select Dell Force10 switches, PowerConnect specific models.

Using wireless controller (Cisco WLC, ARUBA, Chillispot for dwrt based AP Etc.)


CASE STUDY SCENARIO: ISE

DISCUSSION ON A STUDTY THAT ALREADY BEEN IMPLEMENTED AND FUNCTIONAL IN ONE OF THE LARGEST NGOs IN BANGLADESH WITHIN ALL 87 BRANCHES CONNECTED USING MPLS BACKBONE


Solution High Level Design


Placement in network

Recommended to deploy in server zone. Not necessary to deploy in DMZ as the service

will be used by users within the organization.

Must have secure firewall policies that will permit only the ports needed for 802.1x, RADIUS,

Wep-Portal Redirection & Posture redirection

Wireless LAN Controller can be placed on L2 network or L3 network (Use FQDN broadcast

using the enterprise Domain-Controller).

All NAD devices (Switches, Firewall, Wireless LAN Controller should be able to

communicate with both ISE servers).


Advance placement issues

Do not place the ISE or NAC servers in Access Zone.

Try to create separate zone for the ease of policing and security issue mitigation.

If used de-centralized DHCP broadcast (in case of L3 MPLS) try Flex-Connect option at the

branch AP.

Use Flex-ACL, AP-Group policy to make management easy and to ensure session control

for web-redirection (Avoid 500 Internal Error)


NAD configuration (Switch)

Switch-Global configuration

-----------------------------

Switch(config)# aaa new-model

Switch(config)# radius-server host 10.10.2.250

Switch(config)# radius-server key <mykey>

Switch(config)# aaa authentication dot1x default group radius local

Switch(config)# dot1x system-auth-control

Switch(config)# aaa authorization network default group radius

Switch(config)# radius-server vsa send authentication

Switch(config)# radius-server attribute 6 on-for-login-auth

Switch(config)# radius-server attribute 8 include-in-access-req

Switch(config)# radius-server attribute 25 access-request include

Switch(config)# radius-server vsa send accounting

Switch(config)# radius-server vsa send authentication


Port Configuration

------------------------------

Switch(config-if)# switchport mode access

Switch(config-if)# authentication event fail action next-method

Switch(config-if)# authentication event server dead action authorize vlan 10

Switch(config-if)# authentication event server alive action reinitialze

Switch(config-if)# authentication host-mode multi-auth

Switch(config-if)# authentication closed

Switch(config-if)# authentication port-control auto

Switch(config-if)# authentication violation restrict

Switch(config-if)# ip device tracking

Switch(config-if)# dot1x pae authenticator

Switch(config-if)# spanning-tree portfast

NAD Configuration (WLC)

Remote AP should be in flex-connect mode.

Permit & Deny ACL should be configured on WLC, must be pointed at ISE under policy to

dynamically allocate for wireless users.

Redirection ACL should be configured on WLC (For flex AP, ACL will be FLEX-ACL while

similar empty ACL will be in Normal ACL).


Enjoy 802.1x


Internet

Holistic view of 802.1x integration & optimization