deploying wired 802 -...

BRKSEC-2005

Deploying Wired 802.1x

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 2

Session Objective

Understand base 802.1X concepts

Learn the benefits of deploying 802.1X

Learn how to configure and deploy 802.1X

Learn lessons on how to make it work when you get back to your lab


Agenda

802.1X and Wired Access

Default Functionality

Deployment Considerations

Reporting and Monitoring

Looking Forward

Deployment Case Study


What We Won’t Be Covering

AAA authentication on routers

IPSec authentication

In-depth concepts on identity management and single sign-on (upper layer identity)

Specific Extensible Authentication Protocol (EAP) methods in depth

X.509 certificates and PKI

Wireless LAN 802.1X

Switch Features that are not consistent across platforms

CatOS


802.1X and Wired Access


Who are you?802.1X (or supplementary method) authenticates

the user

Why is 802.1X Important in the Campus

1

What service level to you receive?The user can be given per-user services (ACLs

today, more to come)3

What are you doing?The user’s identity and location can be used for

tracking and accounting4

Where can you go?Based on authentication, user is placed in correct

VLAN2

Keep the Outsiders Out

Keep the Insiders Honest

Personalise the Network

Increase Network Visibility


Basic Identity Concepts

What is an identity?

• an assertion of who we are.

• allows us to differentiate between one another

What does it look like?

– Typical Network Identities include

•Username / Password

•Email: [email protected]

•MAC Address: 00-0c-14-a4-9d-33

•IP Address: 10.0.1.199

•Digital Certificates

How do we use identities?

• Used to grant appropriate authorisations — rights to services within a given domain

mailto:[email protected]


What Is Authentication? Authorisation?

Authentication is the process of establishing and confirming the identity of a client requesting services

Authentication is only useful if used to establish corresponding authorisation (e.g. access to a bank account)

I’d Like to withdraw 100.00 AUD Please.

Do You Have Identification?

Yes, I Do. Here It Is.

Thank You. Here’s Your 100 AUD.

An Authentication System Is Only as Strongas the Method of Verification Used


Identity-EnabledNetworking

Applying the Authentication Model to the Network

I’d Like to Connect to the Network.

Identification required

Here is my identification

Identification verified, access granted!


Default Functionality


IEEE 802.1X

Standard set by the IEEE 802.1 working group

Is a framework designed to address and provide port-based access control using authentication

802.1X is primarily an encapsulation definition for EAP over IEEE 802 media—EAPOL (EAP over LAN) is the key protocol

Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point)

Assumes a secure connection

Actual enforcement is via MAC-based filtering and port-state monitoring


802.1X Port Access Control Model

Request for Service(Connectivity)

Backend AuthenticationSupport

Identity StoreIntegration

Authenticator

• Switch

• Router

• WLAN AP

Identity Store/Management

• MS Active Directory

• LDAP

• NDS

• ODBC

Authentication Server

• IAS / NPS

• ACS

• Any IETF RADIUS server

Supplicant

• Desktop/laptop

• IP phone

• WLAN AP

• Switch

SSC

Layer 2

Layer 3


802.1X Protocols

EAP RADIUS ID Store-Dependent

SSC

Layer 2Layer 3

EAP over LAN

(EAPoL)

EAP over WLAN

(EAPoW)

Supplicant Authenticator Authentication Server


802.1X - Extensible Authentication Protocol (EAP)

Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges

EAP provides a flexible link layer security framework

–Simple encapsulation protocol

•No dependency on IP

–Few link layer assumptions

•Can run over any link layer (PPP, 802, etc.)

•Assumes no reordering

•Can run over loss full or lossless media

Defined by RFC 3748


RADIUS acts as the transport for EAP from the authenticator to the authentication server

RFC for how RADIUS should support EAP between authenticator and authentication server—RFC 3579

RADIUS is also used to carry policy instructions (authorisation) back to the authenticator in the form of AV pairs

Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580

AV Pairs : Attribute-Values Pairs.

802.1X - RADIUS

RADIUS Header EAP PayloadUDP HeaderIP Header

RADIUS Header EAP PayloadUDP HeaderIP Header AV Pairs


A Closer Look: IOS switch configuration

Port Unauthorised

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server host 10.100.100.100

radius-server key cisco123

dot1x system-auth-control

interface GigabitEthernet1/0/1

authentication port-control auto

dot1x pae authenticator

Cisco IOS

SSC

802.1X


A Closer Look:

Actual authentication is between client and

auth server using EAP. The switch is an EAP conduit, but aware of

what’s going on

802.1X RADIUS

EAP—Method Dependent

Port Unauthorised

Port Authorised

EAPOL-Logoff

EAP-Auth Exchange Auth Exchange w/AAA Server

Auth Success & Policy InstructionsEAP-Success

EAP-Identity-RequestEAPOL-Start

EAP-Identity-Response

SSC

802.1X

Port Unauthorised


Default Security with 802.1X

No visibility (yet)Strict Access Control

interface fastEthernet 3/48


ALL traffic except EAPoL is dropped

One Physical Port ->Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)

Before Authentication

?

USER


Default Security with 802.1X

User/Device is Known Identity-based Access Control

• Single MAC per port

Looks the same as

without 802.1X

Authenticated User: Sally




Default authorisation is on or off. Dynamic VLANs or ACLs can be used to customise the user experience.

?

After Authentication


Default Security: Consequences

Default 802.1x Challenge

Devices without supplicants Can’t send EAPoL

No EAPoL = No Access

Offline

No EAPoL / No Access






Default Security: More Consequences

Assumed to Be Malicious

• Hubs, Gratuitous ARPs, VMWare

VM



dot1x pae authenticator Multiple MACs on Port


Deployment Considerations


802.1X Deployment Considerations

Non-802.1X Clients & Guests

Failed Access Handling

RADIUS Availability

Flexible Authentication Sequencing

Multiple Devices Per Port

Authorisation

Authentication and Endpoint Considerations

802.1X and Microsoft Windows

Other Considerations


Handling Non-802.1X Clients & Guests

Authenticate via less-secure method

–MAC Authentication Bypass (MAB)

–Web Auth (client must have browser)

Give them limited access after timeout and no response

–Guest VLAN

Allow WLAN access instead of wired

–WLAN is a great way to do guest access if available


Endpoint Host Dot1x/Guest VLAN

00.0a.95.7f.de.04

EAP-Identity-Request Link up1

EAP-Identity-Request 2EAP-Identity-Request 3

0:000:010:050:100:200:30

0:000:010:050:100:200:30

0:000:010:050:100:200:30

Timeout

Timeout

Timeout

No Response

No Response

No Response

Catalyst Switch

• Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire

(whether a supplicant is there or not)

• A device is only deployed into the guest VLAN based on the lack of response to the switch’s

EAP-Request-Identity frames (which can be thought of as 802.1X hellos)

• No further security or authentication to be applied. It’s as if the administrator de-configured

802.1X (i.e. multi-host), and hard-set the port into the specified VLAN

• 90 Seconds is greater than MSFT DHCP timeout

802.1X with Guest VLAN

interface GigabitEthernet 1/1

authentication event no-response action authorize vlan 50

Port ―Authorised‖ into

the Guest VLAN4

EAP-Success


Endpoint Host Dot1x/MAB

00.0a.95.7f.de.06

EAP-Identity-Request

Fallback to MAB

Learn MAC

RADIUS

RADIUS-Access

Request: 00.0a.95.7f.de.06

RADIUS-Access Accept

Link up 1

4

EAP-Identity-Request 2


5

6

7

0:000:010:050:100:200:30

0:000:010:050:100:200:30

0:000:010:050:100:200:30

Timeout

Timeout

Timeout

No Response

No Response

No Response

Catalyst Switch ACS 5.0

Note1: The default timeout & retransmits are 30 seconds 3 attempts. These can be tweaked.

Note2: With Low Impact Mode, you can allow the endpoint to process DHCP before authentication, to alleviate DHCP timeouts.

Note3: The authorisations available to endpoints include VLAN and/or ACLs

MAC Authentication Bypass (MAB)

interface GigabitEthernet 1/1

mab


MAB Limitations & Challenges

• MAB requires creating and maintaining MAC database

• Default 802.1X timeout = 90 seconds

– 90 sec > default MSFT DHCP timeout

– 90 sec > default PXE timeout

Current Workaround: Timer tuning (always requires testing)

•max-reauth-req: maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire

•tx-period: number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting

•802.1X Timeout == (max-reauth-req + 1) * tx-period


Endpoint Host Dot1x/MAB

00.0a.95.7f.de.06


Fallback to MAB

Learn MAC

RADIUS

RADIUS-Access


RADIUS-Access Accept

Link up 1

4



5

6

7

0:000:010:050:100:200:30

0:000:010:050:100:200:30

0:000:010:050:100:200:30

Timeout

Timeout

Timeout

No Response

No Response

No Response

LDAP

LDAP Query


LDAP-Access Accept

Catalyst Switch ACS 5.0 NAC Profiler

Note1: The default timeout & retransmits are 30 seconds 3 attempts. These can be tweaked.

Note2: With Low Impact Mode, you can allow the Endpoint to process DHCP before authentication, to alleviate DHCP timeouts.

Note3: The authorisations available to endpoints include VLAN and/or ACLs

MAB + LDAP/Profiler


Switch

DHCP/DNS AAA Server

Web Authentication for non-802.1X User―Flex Auth‖:

Multiple TriggersSingle Port Config

•802.1X Timeout

•802.1X Failure

•MAB Failure

1

Port Enabled, ACL

Applied2

Host Acquires IP Address, Triggers Session State3

Host Opens Browser

Login Page

Host Sends Password

4

Switch Queries AAA Server

AAA Server Returns Policy

Server

authorises

user5

Switch Applies New ACL Policy 6


802.1X with Web-AuthDeployment Considerations

Web-Auth is only for users (not devices)

• browser required

• manual entry of username/password

Web-Auth can be a fallback from 802.1X or MAB.

Web-Auth and Guest VLAN* are mutually exclusive

Web-Auth supports ACL authorisation only

Web-Auth behind an IP Phone requires Multi-Domain Authentication* (MDA)

* To be discussed in later sections





RADIUS Availability



Authorisation





802.1X Client Without Valid CredentialAuthentication Failures

* Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent on method.

• This works great in preventing rogue access to a network!

• This is a primary reason Enterprises look to deploy 802.1X/Identity Networking!

• This is also the problem! (How should we provide access to devices that fail?)

EAPoL Start

EAPoL Response Identity

EAPoL Request Identity

RADIUS Access Request

EAP FailureRADIUS Access Reject

Port is never granting access


Why Provide Access to Devices that Fail?

Employees’ credentials expire or entered incorrectly

As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default.

Many enterprises require guests and failed corporate assets get conditional access to the network.

–Re-provision credentials through a web proxy or VPN Tunnel

–Provide guest access through VLAN assignment or web proxy

802.1XCertificate Expired!

802.1X

User Unknown!


Failed Auth: Solution 1Auth-Fail VLAN

EAPoL Start




EAP Failure RADIUS Access Reject




EAP Failure RADIUS Access Reject




“EAP Success” RADIUS Access Reject

interface GigabitE 3/13


authentication event fail action authorize vlan 51

Port is now granted access

On the ―third‖ consecutive failure, the port is enabled and an EAPOL-Success is transmitted


802.1X with Auth-Fail VLANDeployment Considerations

1. Supplicant cannot exit the Auth-Fail VLAN

• Only alternatives: switch-initiated re-authentication or port bounce

2. No Secondary Authentication Mechanism.

3. Auth-Fail VLAN, like Guest VLAN, is a switch-local authorisation -> centralised policy on AAA server is not enforced

4. Switch and AAA server have conflicting views of network

Auth-fail VLAN

Access Granted Access Denied


Failed Auth: Solution 2FlexAuth: Next-Method

EAPoL Start




Next Method MAB

RADIUS Access Reject

Learn MAC Address

RADIUS Access Request (MAC Addr)

Port EnabledRADIUS Access Accept



authentication order dot1x mab

mab

authentication event fail action next-method

Port is now granted access based on MAB authorisation

On 802.1X failure, the port continues to the next authentication method (MAB)


802.1X with Next-Method MABDeployment Considerations

1.MAC Database required

1.Policy decision: – should 802.1X-capable devices get same access level if they authenticate via

MAB after failing 802.1X?





RADIUS Availability



Authorisation





RADIUS Availability

• Switch detects AAA unavailable by one of two methods

1. Failure to respond to AAA request

2. Periodic probe

EAPOL-Start

EAP-Success

VPN Tunnel

WAN/Internet


X

The Problem — RADIUS Unavailable

1

X

2

Port is not

granting access

EAP-Identity-Exchange

RADIUS-Access-Request

EAPOL-Failure 3

Client Switch RADIUS




X

Inaccessible Authentication Bypass (aka Critical Auth)

1 2

Port

authorised

into specified

VLAN

EAP-Identity-Exchange RADIUS-Access-Request

Critical-VLAN 3

Client Switch RADIUS



�✥

EAP-Identity-Exchange

RADIUS Server becomes available againImmediate Re-initialisation of 802.1X state machine

AUTH EXCHANGE w/ AAA Server

Authentication Successful/RejectedEAP-Success/Failure

Port

authorised

per Dynamic

Authorisation

Policy

IOS

dot1x critical recovery delay 100

radius-server host x.x.x.x test username [username]

radius-server dead-criteria 15 tries 3

Interface GigabitEthernet 1/0/1

dot1x critical

authentication event server dead action authorize vlan 100

authentication event server alive action reinitialize


IOS

dot1x critical recovery delay 100

radius-server host x.x.x.x test username [username]

radius-server dead-criteria 15 tries 3

Interface GigabitEthernet 1/0/1

dot1x critical

authentication event server dead action authorize vlan 100

authentication event server alive action reinitialize

Inaccessible Authentication Bypass

Port authorised

EAP-Success/Failure

EAP-Auth Exchange


EAP-Success/Failure

EAP-Identity-Response

Auth Exchange w/AAA Server

Authentication Successful/Rejected

RADIUS Server comes back -> immediate reinitialise

802.1X State Machine





RADIUS Availability



Authorisation





Flexible Authentication Sequencing(Flex-Auth)

Flex-Auth fallback examples we’ve already seen:

– Configurable behaviour after 802.1X failure• authentication event failure action authorise vlan X• authentication event failure action next-method

– Configurable behaviour after 802.1X timeout• authentication event no-response action authorise vlan Y

– Configurable behaviour before & after AAA server dies• authentication event server dead action authorise vlan Z• authentication event server alive action reinitialise

Two more features complete Flex-Auth:• authentication order• authentication priority


Flex-Auth Sequencing

By default, the switch attempts

most secure auth method

first.802.1X

Timeout

802.1X

MAB

MAB fails

Guest VLAN

Timeout can mean

significant delay before

MAB.

MAB fails

MAB

802.1X

802.1X Timeout

Guest VLAN

Alternative order does

MAB on first packet from

device

Default Order: 802.1X First Flex-Auth Order: MAB First


Flex-Auth Order with Flex-Auth Priority

Default Priority: 802.1X ignored after successful MAB

MAB fails

MAB

802.1X

EAPoL-Start ReceivedM

AB

p

asse

s

Port Authorised by

MAB

Flex-Auth Priority: 802.1X starts despite successful MAB

Priority determines which method can preempt other methods.

By default, method sequence determines priority (first method has highest priority).

If MAB has priority, EAPoL-Starts will be ignored if MAB passes.

802.1X





RADIUS Availability



Authorisation





802.1X & IPT: A Special Case

Voice Ports

With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X

An access port able to handle two VLANs

–Native or Port VLAN Identifier (PVID) / Authenticated by 802.1X

–Auxiliary or Voice VLAN Identifier (VVID) / ―Authenticated‖ by CDP

Hardware set to dot1q trunk

Tagged 802.1q

Untagged 802.3


802.1X and Voice: Multi-Domain Authentication (MDA)

MODE

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

• MDA replaces CDP Bypass• Supports Cisco & 3rd Party Phones• Phones and PCs use 802.1X or MAB

Data

Two Domains Per Port

802.1q

Phone authenticates in Voice Domain,tags traffic in VVID

PC authenticates in Data Domain,untagged traffic in PVID

Single device per port Single device per domain per port

3K: 12.2(35)SEE

4K: 12.2(37)SG

6K: 12.2(33)SXI

IEEE 802.1X MDA

Voice


1) Phone learns VVID from CDP (Cisco phone)

2) 802.1X times out

3) Switch initiates MAB

4) ACS returns Access-Accept with Phone VSA.

5) Phone traffic allowed on either VLAN until it sends tagged packet, then only voice VLAN

6) (Asynchronous) PC authenticates using 802.1X or MAB

• PC traffic allowed on data VLAN only

MDA for Any IP Phone

1

23 Access-Request: Phone MAC

Access-Accept: Phone VSA

CDP

EAP

interface GigE 1/0/5

authentication host-mode multi-domain



mab

4EAP

5

No Supplicant on Phone

SSC

6


MDA in Action

ID-6500a#sho authentication session int g 7/1

Interface: GigabitEthernet7/1

MAC Address: 000f.2322.d9a2

IP Address: 10.6.110.2

User-Name: 00-0F-23-22-D9-A2

Status: Authz Success

Domain: VOICE

Oper host mode: multi-domain

Oper control dir: both

Posture Token: Unknown

Authorized By: Authentication Server

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A00645A0000000102124450

Acct Session ID: 0x00000007

Handle: 0x1D000001

--snip--


MAC Address: 000d.60fc.8bf5


User-Name: host/beta-supp


Domain: DATA



Posture Token: Healthy


Vlan Policy: 80


Idle timeout: N/A

Common Session ID: 0A00645A000000020213FF9C


Handle: 0x6E000002

Runnable methods list:

Method State

dot1x Authc Success

mab Not run

Either 802.1X or MAB for phone

Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC

PC Authenticated by 802.1X

Phone authenticated by MAB


IPT & 802.1X: The Link-State Problem

64

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3A

B

Port authorised for 0011.2233.4455 only

Security ViolationS:0011.2233.4455

S:6677.8899.AABB

1) Legitimate users cause security violation

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3A

Security HoleS:0011.2233.4455

S:0011.2233.4455

2) Hackers can spoof MAC to gain access without authenticating


EAPol-Logoff

Previous Solution: Proxy EAPoL-Logoff

65

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3SSC

Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORISEDAuthentication Method = Dot1x

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATAPort Status = UNAUTHORISED

A

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

SSC

Domain = DATASupplicant = 6677.8899.AABBPort Status = AUTHORISEDAuthentication Method = Dot1x

B

Caveats:• Only for 802.1X devices

behind phone

Requires:Logoff-capable Phones

Session cleared immediately by proxy

EAPoL-Logoff

PC-A Unplugs

PC-B Plugs In


Previous Solution: MAB Inactivity Timeout

66

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORISEDAuthentication Method = MAB

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3


MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3


Vulnerable to security violation and/or hole

Device Unplugs

Inactivity Timer Expires

Session cleared. Vulnerability closed.

interface GigE 1/0/5switchport mode accessswitchport access vlan 2switchport voice vlan 12authentication host-mode multi-domainauthentication port-control autoauthentication timer inactivity 300mab

Caveats:Quiet devices may have to re-auth; network access denied until re-auth completes.Still a window of vulnerability.

3K:12.2(35)SE

4K: 12.2(50)SG

6K: 12.2(33)SXI


NEW Solution: CDP 2nd Port Notification

CDP Link Down

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3


MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3


MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

SSC

Domain = DATASupplicant = 6677.8899.AABBPort Status = AUTHORISEDAuthentication Method = Dot1x

Phone sends link down TLV to switch.

Device A Unplugs

Device B Plugs In

Link status msg addresses root cause

Session cleared immediately.

Works for MAB and 802.1X

Nothing to configure

IP Phone: 8.4(1)

3K: 12.2(50)SE (Q2CY09)

4K: 12.2(50)SG

6K: 12.2(33)SXI


Modifying Default Security with 802.1XMulti-Auth Mode

Each MAC authenticated

• 802.1X or MAB

Multiple MACs on Port



authentication host-mode multi-auth

VM • No VLAN Assignment Supported• Superset of MDA with multiple Data Devices per port





RADIUS Availability



Authorisation





Authorisation

Authorisation is the embodiment of the ability to enforce policies on identities

Typically policies are applied using a group methodology—allows for easier manageability

The goal is to take the notion of group management and policies into the network

Types of Authorisation:

–Default: Closed until authenticated.

–Dynamic: VLAN assignment, ACL assignment

–Local: Guest VLAN, Auth-fail VLAN, Critical Auth VLAN


Open Mode (No Restrictions)

Changing the Default Authorisation:―Open Access‖



authentication open

mab

Authentication Performed No Access Control


Open Access Application 1: Monitor Mode

RADIUS accounting logs provide visibility:• Passed/Failed 802.1X/EAP attempts

• List of valid 802.1X capable• List of non-802.1X capable

• Passed/Failed MAB attempts• List of Valid MACs• List of Invalid or unknown MACs

TO DO Before implementing access control:•Confirm that all these should be on network•Install supplicants on X, Y, Z clients•Upgrade credentials on failed 802.1X clients•Update MAC database with failed MABs…

Monitor the network, see who’s on, address future connectivity problems by installing supplicants and credentials, creating MAB database


Selectively Open Access

Open Mode (Pinhole) On Specific TCP/UDP Ports Restrict to Specific Addresses

EAP Allowed (Controlled Port) Download general-access ACL upon authentication

Block General Access Until Successful 802.1X, MAB or

WebAuth

Pinhole explicit tcp/udp ports to allow desired access

Open Mode Application 2: Selectively Open Mode (aka Low Impact Mode)



authentication open

ip access-group UNAUTH in


ANYANY

(Before Authentication)Switch#show tcam interface g1/13 acl in ip

permit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any

Catalyst 6500802.1X

Ethernet Port

Wired EthernetEnd Points

EAPEAP

DHCPDNS

DHCPDNS

PXEPXE

ACS/AAA

DHCPDNS

PXEServer

SampleOpen Mode Configs

Slide Source: Ken Hook

interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31ip access-group PRE-AUTH inauthentication host-mode multi-domainauthentication openauthentication port-control automab

10.100.10.116

10.100.10.117

ip access-list extended PRE-AUTHpermit tcp any any establishedpermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftp

(After Authentication)Switch#show tcam interface g1/13 acl in ip

permit ip host 10.100.60.200 anypermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any

IP: 10.100.60.200

Open Mode with Dynamic ACLs


Dynamic Authorisation:VLAN Assignment

Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication

VLANs assigned by name—allows for more flexible VLAN management

Tunnel attributes used to send back VLAN configuration information to authenticator

Tunnel attributes are defined by RFC 2868

Usage for VLANs is specified in the 802.1X standard


802.1X with VLAN Assignment

[64] Tunnel-type—―VLAN‖ (13)

[65] Tunnel-medium-type—―802‖ (6)

[81] Tunnel-private-group-ID—<VLAN name>

VLAN name must match switch configuration

Mismatch results in authentication failure

Marketing

aaa authorization network default group radius

AV Pairs Used—All Are IETF Standard


URL Redirect

Requires HTTP on the switch

Does not ―authenticate‖ via the web native to the switch

Mainly used for custom notification at this time

Future integration with other Cisco products

Authentication ProcessRADIUS

Client

Web Page

User Initiates Web Connection3

RADIUS authorises port with URL redirect2

802.1X/MAC Authentication 1

Switch Port Redirects to Web Page

4


Authorisation Recommendations

All Authorisation (VLAN, dACL, etc.) is completely optional

Only use it if you have to separate users due to a business requirement

Most enterprises do not have this requirement for known users

Leave the port in its default VLAN or assign the VLAN during machine authentication if possible





RADIUS Availability



Authorisation





802.1X Authentication Database

Where is the single source of authentication credentials for the enterprise?

Do you have to build new or extend trust between databases?

Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases

EAP Method may have requirements of the Authentication Database. For example, if MS-CHAPv2 is required for password authentication.


Supplicant Considerations

Microsoft Windows

–User and machine authentication

–DHCP request time out

–Machine authentication restriction

–Default methods: MD5, PEAP, EAP-TLS

Unix/Linux considerations

–Open source: xsupplicant Project (University of Utah)

–Available from http://www.open1x.org

–Supports EAP-MD5, EAP-TLS,

–PEAP/MSCHAPv2, PEAP/EAP-GTC

Native Apple supplicant support in OS X 10.3

–802.1X is turned off by default!

–Default parameters—TTLS, LEAP, PEAP, MD5, FAST supported

–Support for airport and wired interfaces

–In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both at the same time

http://www.open1x.org/


Features

Robust Profile Management

Support for industry standards

Endpoint integrity

Single sign-on capable

Enabling of group policies

Administrative control

Benefits

Simple, secure device connectivity

Minimises chances of network compromise from

infected devices

Reduces complexity

Restricts unauthorised network access

Centralised provisioning

Secure Services Client

Cisco Secure Services Client (SSC)

Introduces features over and above the native supplicants

–EAP types

–Management Interfaces

–Automatic VPN initiation

SSC


Cisco AnyConnect 3.0 Client

Unified Cisco Client

802.1X Supplicant

VPN Client

Plus more

Introduces features over and above the native supplicants

– EAP types

– Management Interfaces

– Automatic VPN initiation





RADIUS Availability



Authorisation





Windows Boot Cycle Overview

Power On

Kernel LoadingWindows HAL LoadingDevice Driver Loading

Obtain Network Address(Static, DHCP)

Determine Site and DC(DNS, LDAP)

Establish SecureChannel to AD

(LDAP, SMB)

Kerberos Authentication(Machine Account)

Computer GPOs Loading (Async)

GPO based StartupScript Execution

Certificate Auto EnrollmentTime SynchronisationDynamic DNS Update

GINA

Components that depend on network connectivity

Kerberos Auth(User Account)

User GPOs Loading(Async)

GPO based LogonScript Execution (SMB)

Inherent Assumption of Network Connectivity

Earliest Network Connectivity with User Auth Only

X X X X X X X

Components broken with 802.1X user authentication only

X


Problem 1: Microsoft Issues with DHCP

With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no media-connect signal)

DHCP starts once interface comes up

If 802.1X authentication takes too long, DHCP may time out

Power Up Load NDIS Drivers

DHCPSetup Secure

Channel to DC

Present GINA (Ctrl-Alt-Del) Login

DHCP—Timeout at 62 Seconds

802.1X Auth—Variable Timeout

DHCP Is a Parallel Event, Independent of 802.1X Authentication


Problem 2: Machine GPOs Broken

What Is a Group Policy?

Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment

Types of Group Policy

–Registry-based policy

–Security options

–Software installation and maintenance options

–Scripts options

–Folder redirection options


The Solution: Machine Authentication

What is machine authentication?

–The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session

What is it used for?

–Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies

Why do we care?

–Pre-802.1X this worked under the assumption that network connectivity was a given; post-802.1X the blocking of network access prior to 802.1X authentication breaks DHCP & machine-based group policy model—UNLESS the machine can authenticate using its own identity in 802.1X


802.1X VLAN assignmentProblem 1: DHCP Renewal

When using dynamic VLAN assignment with user & machine authentication, the host’s VLAN can change when user logs in.

– IP address may need to change also

Supplicant behaviour has been addressed by Microsoft

– Windows XP: install service pack 1a + KB 826942

– Windows 2000: install service pack 4

– Needed for VLAN assignment with Wireless Zero Config

Updated supplicants trigger DHCP IP address renewal

– Successful authentication causes client to ping default gateway (three times) with a sub-second timeout

– Lack of echo reply will trigger a DHCP IP renew

– Successful echo reply will leave IP as is

– Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming


DHCP and 802.1X Windows XP: Install Service Pack 1a + KB 826942Windows 2000: Install Service Pack 4

At This Point, DHCP Proceeds Normally

Forward Credentials to ACS Server

Accept

Authentication ServerAuthenticatorSupplicant

Login Req.

Send Credentials

ICMP Echo (x3) for Default GW from ―Old IP‖ as Soon as

EAP-Success Frame Is Rcvd

DHCP-Request (D=255.255.255.255)(After Pings Have Gone Unanswered)

DHCP-Discover (D=255.255.255.255)

Auth Successful (EAP—Success)

VLAN Assignment

DHCP-NAK (Wrong Subnet)

For YourReference


Machine VLAN

Problem 2: ―Real‖ Boot Sequence & VLAN Assignment

Power On




Establish SecureChannel to AD(LDAP, SMB)







802.1X Machine Auth

GINA

802.1X User Auth

Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth


GINA

User VLAN

X X X

Fast Logon Optimisation

X X X


Problem 3 : VLAN Assignment and GPOs

Power On




Establish SecureChannel to AD

(LDAP, SMB)







802.1X Machine Auth

GINA

802.1X User Auth

Start of 802.1X auth may vary among supplicants

Components that are in race condition with 802.1X Auth


VLAN1 –10.1.1.1

VLAN2 –99.1.1.1

√


Vista SP1/Windows 2008 and XP SP3

If the supplicants fail 802.1X authentication once the supplicant goes down for twenty minutes before it tries again

–Vista SP1/Windows 2008 - KB957931 http://support.microsoft.com/kb/957931

–XP SP3 – KB coming soon

http://support.microsoft.com/kb/957931


802.1X and Windows Recommendations Machine Authentication is mandatory for managed environments

Consider machine authentication only

–Manage auth behaviour on XP SP2/2000 via registry keys

–http://support.microsoft.com/kb/309448/en-us

–http://www.microsoft.com/technet/network/wifi/wififaq.mspx

–Manage XP SP3/Vista Supplicant through XML

–http://support.microsoft.com/kb/929847

Use the automatic provisioning built into AD if possible

–Machines are provisioned automatically with a machine password

–Can have certificates automatically provisioned via AD GPOs

http://support.microsoft.com/kb/309448/en-us



http://www.microsoft.com/technet/network/wifi/wififaq.mspx

http://support.microsoft.com/kb/929847


VLANs and Windows: Recommendations

When using Dynamic VLANs:

–Disable Fast Logon Optimisation

–Use the same VLAN for machine and user authorisation

–VLAN assignment requires AD, DHCP server, and network switch changes (planning, routing, trunking, etc.)

Access Control Lists (ACLs) are a policy enforcement alternative to VLANs. Beware of TCAM implications: the number of ACEs on L3 switch is limited.

ACL per port can be assigned by RADIUS server per group.





RADIUS Availability



Authorisation





Remote Desktop XP: Microsoft Remote Desktop logs off the local user

and drops the machine into machine mode which results in a machine auth.

Vista: Leaves the local user logged onto the system, so it does not trigger an 802.1X auth.

If machine authentication and user authentication result in the same VLAN then there are no problems

If machine authentication puts the machine in a different VLAN, then user authentication must be maintained despite Windows logging the user off.

SSC on XP provides the above solution


Pre eXecution boot Environment (PXE) -Default Security Impact

interface fastEthernet 3/48authentication port-control auto

ALL traffic except EAPoL is dropped


PXE BIOS

PXE BIOS needs network access within 60 seconds of link-up to download bootable OS

Most PXE implementations do not support 802.1X.

No 802.1X = No network access = No OS download.


Client Dot1x/MAB

00.0a.95.7f.de.06

EAPOL-TimeoutInitiate MAB 10-seconds

Learn MAC Variable?

RADIUS

RADIUS-AccessRequest: 00.0a.95.7f.de.06

RADIUS-Access AcceptPort Enabled√

PXE Solution 1MAC Authentication Bypass (MAB) *

interface GigabitE 3/13authentication port-control autodot1x timeout tx-period 10mab

PXE BIOS

* - exact packet sequence will vary

EAPOL-Request (Identity) Upon link upX

X EAPOL-Request (Identity) 10-seconds

EAPOL-Request (Identity) 10-secondsX

DHCP Discover 3 X

DHCP Discover 2 X

DHCP Discover 1 X

DHCP Discover 4 √

PXE Continues


Selectively Open Access

Open Mode (Pinhole) On Specific TCP/UDP Ports for PXE Restrict to Specific Addresses

EAP Allowed (Controlled Port) Download general-access ACL upon authentication

Block General Access Until Successful MAB

Pinhole explicit tcp/udp ports to allow desired access

PXE Solution 2:Open Mode with Interface ACL



authentication open

ip access-group UNAUTH in

PXE BIOS


Selectively Open Access Outbound

802.1X controls port traffic in BOTH directions Use WOL support on switch to allow outbound

(from switch) traffic to wake up device

Default - Block Outbound Traffic Until Successful 802.1X/MAB

Allow outbound traffic

Wake On LAN (WOL) and 802.1X



authentication control-direction in

WOL Capable Device


Monitoring & Troubleshooting


802.1X Monitoring and Trouble Shooting

Major components to 802.1X monitoring

–RADIUS accounting

–NAD logs

–RADIUS logs

–NAD CLI

–SNMP on NAD

Major components of 802.1X Troubleshooting

–Correlated log reports ACS View

–Third party log analysis and reporting

–SNMP on NAP

–NAD CLI


802.1X with RADIUS Accounting

Supplicant 802.1X Process1 Authenticate

2 Access-Accept

RADIUS Process

2 EAPOL-Success



Accounting-request packets

Contains one or more AV pairs to report various events and related information to the RADIUS server

Tracking user-level events are used in the same mechanism

Supplicant 802.1X Process1 Authenticate

2 Access-Accept

3 Accounting Request

RADIUS Process

2 EAPOL-Success

4 Accounting Response



Similar to other accounting and tracking mechanisms that already exist using RADIUS

–Can now be done through 802.1X

Increases network session awareness

Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.

Provides a means to map the information of authenticated

IOS

aaa accounting dot1x default start-stop group radius

Identity, Port, MAC, Switch

IP, Port, MAC, Switch=

Switch + Port = Location

Identity IP


Troubleshooting: Identify Points of Failure

It is important to understand the failure point in the picture

It is important to understand which issue causes what failures

In most case, description of the issue symptom can be vague or misleading and you must correlate separate pieces of information for problem resolution.


ACS View 5.0 RADIUS Authentication


ACS View 5.0 Authentications Details


802.1X Port ConfigID-6500a#sho authentication session interface gigabitEthernet 7/1


MAC Address: 000f.2322.d9a2


User-Name: 00-0F-23-22-D9-A2


Domain: VOICE



Posture Token: Unknown



Idle timeout: N/A

Common Session ID: 0A00645A00000007000E37CC


Handle: 0x0E000007


Method State

dot1x Failed over

mab Authc Success

----------------------------------------




User-Name: nac\darrimil


Domain: DATA



Posture Token: Healthy


Vlan Policy: 50


Idle timeout: N/A

Common Session ID: 0A00645A0000000D0030B498


Handle: 0x1500000D


Method State

dot1x Authc Success

mab Not run

interface GigabitEthernet7/1

switchport

switchport mode access

switchport voice vlan 110

ip access-group default_acl in

authentication event fail action next-method

authentication host-mode multi-domain

authentication open

authentication priority dot1x mab


authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed


dot1x timeout tx-period 10

spanning-tree portfast edge

For YourReference


ACS 5.0

EAP Problem -Certificate Trust Issues One of the most common issues seen in deployment and pilots

ACS 4.2


802.1X Authorisation Failure 1

In case that network authorisation is NOT ENABLED on a NAD

ACS Message Type: Authentication Successful

Authentication Failure Reason (AFR): There is no AFR associated with this error since authentication succeeds

User Experience: Balloon message ―Windows cannot connect you to the network (contact your network administrator)‖

aaa authorization network default group radiusFollowing CLI is missing

VLAN assignment succeeds but assigns port to VLAN 0

Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication timer value

Consequently there is no VLAN 0, therefore default port VLAN is used for authorisation, and if there is no DHCP setup for this VLAN then client can’t obtain IP address.

Also Reauthentication Timer becomes 0. This means that there will be no reauthentication.

Supplicant might try to re-DHCP if it’s can’t get an IP address


802.1X Authorisation Failure 1ID-6500a#debug condition interface GigabitEthernet 7/1 ----------------New feature

ID-6500a#debug auth feature vlan_assign event

Auth Feature vlan_assign events debugging is on

*Dec 15 14:46:58.439: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1

*Dec 15 14:46:59.243: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1

*Dec 15 14:46:59.243: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1

*Dec 15 14:46:59.243: AUTH-FEAT-VLAN-ASSIGN-EVENT (Gi7/1): Successfully assigned VLAN 0

*Dec 15 14:46:59.751: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.60fc.8bf5) on Interface Gi7/1

ID-6500a#sho authentication sess interface g 7/1




User-Name: nac\darrimil


Domain: DATA




Vlan Policy: N/A


Idle timeout: N/A

Common Session ID: 0A00645A0000000E005DD8A8


Handle: 0xF900000E



• In case that invalid Radius attribute is sent via Radius Access-Accept

• ACS Message Type: Authen Successful

• AFR: There is no AFR associated with this error since authentication succeeds

• User Experience: Balloon message ―Windows cannot connect you to the network (contact your network administrator)‖

Radius Access-Accept with invalid Radius Attribute 81 is sent

Basic rule is that 81 attribute needs to be either ―string‖ or ―integer‖. If String, it needs to match the VLAN name that exists on switch. If Integer then it needs match the VLAN ID that exists on switch

Passed Authentication reports authentication is successful

Authorisation failure on switch is NEVER reported back to ACS.

*Dec 15 15:03:21.007: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN BadVLAN to 802.1x port GigabitEthernet7/1*Dec 15 15:03:21.911: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1



*Aug 26 13:44:29.991: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1

*Aug 26 13:44:29.991: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1

*Aug 26 13:44:29.991: %EPM-6-POLICY_REQ: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|

EVENT=APPLY

*Aug 26 13:44:29.991: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 |

EVENT=DOWNLOAD-REQUEST

*Aug 26 13:44:30.003: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 |

EVENT=DOWNLOAD-SUCCESS

*Aug 26 13:44:30.003: %EPM-4-POLICY_APP_FAILURE: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|

POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx-IP-phone-dACL-48a4f023|

RESULT=FAILURE| REASON=Interface ACL not configured

*Aug 26 13:44:30.003: %EPM-6-IPEVENT: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|

EVENT=IP-WAIT

*Aug 26 13:44:30.031: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1

• In case that invalid Radius attribute is sent via Radius Access-Accept

• ACS Message Type: Authen Successful

• AFR: There is no AFR associated with this error since authentication succeeds

• User Experience: Balloon message ―Windows cannot connect you to the network (contact your network administrator)‖

For the Downloadable ACL feature is used there must be a interface ACL applied to the interface.

Passed Authentication reports authentication is successful

Authorisation failure on switch is NEVER reported back to ACS.


Looking Forward


Overview of Cisco TrustSecCisco TrustSec (CTS) affects multiple areas of the network and comprises of

improvements in the following areas:

Confidentiality & Integrity

Centralised Role Based Access Control (RBAC) Policy Administration

1

2

3 Identification, Authentication and Authorisation for all networked entities, and classification into topology independent security groups


SGACL Enforcement (1)

RBACLs

Source Destination

4 S1+S2

7 S1

9 S2

User 1 has access to both servers

User 1

User 2

User 3

SGACL

7

9

4

SGACL

Cisco ACS ExternalDirectory Server

Server 1

Server 22

1

1. Security Group Tag is applied on ingress switch port

2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)


SGACL Enforcement (2)User 1 has access to both servers

User 2 has access to Server 1

RBACLs

SGT DGT

4 S1+S2

7 S1

9 S2

User 1

User 2

User 3

SGACL

SGACL

7

9

4 1


Server 1

Server 22


2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)


SGACL Enforcement (3)

RBACLs

SGT DGT

4 S1+S2

7 S1

9 S2

User 1

User 2

User 3

4

SGACL

7

9 SGACL


Server 1

Server 2

User 1 has access to both servers

User 2 has access to Server 1

User 3 – access to Server 1 denied

1

2

Access Denied to User 3


2. Role-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)


Customer Case Studies


802.1X Deployment Case Study 1

Retailer required to only allow their assets to connect to the network due to lack of physical security

Selected 802.1X as the technical solution after evaluation

Primarily an MSFT desktop and server environment; small group of MAC OSX for designers

Approximately 14,000 ports at home office and remote stores

Cisco IP Telephony environment

Pervasive Wireless environment


802.1X Deployment Case Study 1 (Cont.)

Selected Machine Authentication only for wired and wireless

Leveraged the automatic provisioning of machine certificates in Active Directory to provision the machine credentials (automatic user certificates also possible)

Manually provisioned non AD devices if possible

Failed authentication VLAN and unknown MAC addresses assigned to ―guest‖ VLAN on wired only at home office; no ―guest‖ VLAN at remote sites

No guest WLAN access

IAB used for AAA failures for remote office survivability

Multiple Supplicants; try to leverage native OS supplicant if possible


802.1X Deployment Case Study 1 (Cont.)

Lab Work

– IP Telephony handled by CDP exceptions

–PXE tested and handled via MAB

–Tested ―Guest VLAN‖ backhaul and Proxy for AUP

No Wake On LAN

Decided to handle credential re-provisioning via SSL VPN account triggered via help desk ticket

Bought 3rd party tool to build MAC address database

Extended SIM for reporting

Decided on access layer only deployment since Data Centre had physical security


802.1X Deployment Case Study 1 Methodology

Conducted POC with Network/Desktop Operations

Pre-production pilot with all of IT– Monitored Failed Authentications/Unknown MACs via group reports to monitor for supplicant configurations

issues and unknown devices

– Ran trend reports on IPT and PXE support calls to judge impact

Deployed supplicant configuration/credentials before switches

Deployed ―Internet‖ VLAN with appropriate backhaul to Internet Edge

Deployed 802.1X in ―monitor‖ mode on a per building basis– 802.1X, MAB, Unknown MAB, Failed VLAN all went to default

port VLAN

– Continued Trend reporting for other services

Deployed 802.1X ―guest enforcement‖


Case Study 2: 802.1X Implementation 802.1X facts and figures

4000 devices with 802.1x supplicant (Windows XP, SP2)

0 devices with MAB

96% dedicated PC, 4% shared PC for internet access

7500 ports with 802.1x activated

2 ACS Appliances for RADIUS

20 AD/Radius groups

650 VLANs

100 Meeting rooms with « wired only » Guest VLAN

More Information: CCS-1001 802.1X Case Study


Case Study 2: MBDA Group Structure

EADS BAE SYSTEMS FINMECCANICA

MBDA

37.5% 37.5% 25%

MBDA DEUTSCHLAND MBDA ITALIA

100%100%

MBDA UK

100% 100%

MBDA France

Integrated organisation


Summary

802.1X improves enterprise security

802.1X improves enterprise visibility

802.1X is a platform for other security initiatives

Supplicants are important

802.1X is deployable now

New features have significantly simplified deployment

802.1X is not only a network project, it affects the whole IT organisation


Q & A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books


Complete Your Online Session Evaluation

Complete your session evaluation:

Directly from your mobile device by visiting www.ciscoliveaustralia.com/mobile and login by entering your badge ID (located on the front of your badge)

Visit one of the Cisco Live internet stations located throughout the venue

Open a browser on your own computer to access the Cisco Live onsite portal

http://www.ciscoliveaustralia.com/mobile


Meet The Expert

To make the most of your time at Cisco Live 2011, schedule a Face-to-Face Meeting with a top Cisco expert.

Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth of valuable insights and ideas.

Visit the Meeting Centre reception desk located in the World of Solutions

deploying wired 802 -...

Documents