deploying wired 802 -...
TRANSCRIPT
BRKSEC-2005
Deploying Wired 802.1x
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 2
Session Objective
Understand base 802.1X concepts
Learn the benefits of deploying 802.1X
Learn how to configure and deploy 802.1X
Learn lessons on how to make it work when you get back to your lab
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 3
Agenda
802.1X and Wired Access
Default Functionality
Deployment Considerations
Reporting and Monitoring
Looking Forward
Deployment Case Study
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 4
What We Won’t Be Covering
AAA authentication on routers
IPSec authentication
In-depth concepts on identity management and single sign-on (upper layer identity)
Specific Extensible Authentication Protocol (EAP) methods in depth
X.509 certificates and PKI
Wireless LAN 802.1X
Switch Features that are not consistent across platforms
CatOS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 5
802.1X and Wired Access
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 6
Who are you?802.1X (or supplementary method) authenticates
the user
Why is 802.1X Important in the Campus
1
What service level to you receive?The user can be given per-user services (ACLs
today, more to come)3
What are you doing?The user’s identity and location can be used for
tracking and accounting4
Where can you go?Based on authentication, user is placed in correct
VLAN2
Keep the Outsiders Out
Keep the Insiders Honest
Personalise the Network
Increase Network Visibility
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 7
Basic Identity Concepts
What is an identity?
• an assertion of who we are.
• allows us to differentiate between one another
What does it look like?
– Typical Network Identities include
•Username / Password
•Email: [email protected]
•MAC Address: 00-0c-14-a4-9d-33
•IP Address: 10.0.1.199
•Digital Certificates
How do we use identities?
• Used to grant appropriate authorisations — rights to services within a given domain
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 8
What Is Authentication? Authorisation?
Authentication is the process of establishing and confirming the identity of a client requesting services
Authentication is only useful if used to establish corresponding authorisation (e.g. access to a bank account)
I’d Like to withdraw 100.00 AUD Please.
Do You Have Identification?
Yes, I Do. Here It Is.
Thank You. Here’s Your 100 AUD.
An Authentication System Is Only as Strongas the Method of Verification Used
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 9
Identity-EnabledNetworking
Applying the Authentication Model to the Network
I’d Like to Connect to the Network.
Identification required
Here is my identification
Identification verified, access granted!
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 10
Default Functionality
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 11
IEEE 802.1X
Standard set by the IEEE 802.1 working group
Is a framework designed to address and provide port-based access control using authentication
802.1X is primarily an encapsulation definition for EAP over IEEE 802 media—EAPOL (EAP over LAN) is the key protocol
Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point)
Assumes a secure connection
Actual enforcement is via MAC-based filtering and port-state monitoring
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 12
802.1X Port Access Control Model
Request for Service(Connectivity)
Backend AuthenticationSupport
Identity StoreIntegration
Authenticator
• Switch
• Router
• WLAN AP
Identity Store/Management
• MS Active Directory
• LDAP
• NDS
• ODBC
Authentication Server
• IAS / NPS
• ACS
• Any IETF RADIUS server
Supplicant
• Desktop/laptop
• IP phone
• WLAN AP
• Switch
SSC
Layer 2
Layer 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 13
802.1X Protocols
EAP RADIUS ID Store-Dependent
SSC
Layer 2Layer 3
EAP over LAN
(EAPoL)
EAP over WLAN
(EAPoW)
Supplicant Authenticator Authentication Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 14
802.1X - Extensible Authentication Protocol (EAP)
Establishes and manages connection; allows authentication by encapsulating various types of authentication exchanges
EAP provides a flexible link layer security framework
–Simple encapsulation protocol
•No dependency on IP
–Few link layer assumptions
•Can run over any link layer (PPP, 802, etc.)
•Assumes no reordering
•Can run over loss full or lossless media
Defined by RFC 3748
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 17
RADIUS acts as the transport for EAP from the authenticator to the authentication server
RFC for how RADIUS should support EAP between authenticator and authentication server—RFC 3579
RADIUS is also used to carry policy instructions (authorisation) back to the authenticator in the form of AV pairs
Usage guideline for 802.1X authenticators use of RADIUS - RFC 3580
AV Pairs : Attribute-Values Pairs.
802.1X - RADIUS
RADIUS Header EAP PayloadUDP HeaderIP Header
RADIUS Header EAP PayloadUDP HeaderIP Header AV Pairs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 18
A Closer Look: IOS switch configuration
Port Unauthorised
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 10.100.100.100
radius-server key cisco123
dot1x system-auth-control
interface GigabitEthernet1/0/1
authentication port-control auto
dot1x pae authenticator
Cisco IOS
SSC
802.1X
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 19
A Closer Look:
Actual authentication is between client and
auth server using EAP. The switch is an EAP conduit, but aware of
what’s going on
802.1X RADIUS
EAP—Method Dependent
Port Unauthorised
Port Authorised
EAPOL-Logoff
EAP-Auth Exchange Auth Exchange w/AAA Server
Auth Success & Policy InstructionsEAP-Success
EAP-Identity-RequestEAPOL-Start
EAP-Identity-Response
SSC
802.1X
Port Unauthorised
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 22
Default Security with 802.1X
No visibility (yet)Strict Access Control
interface fastEthernet 3/48
authentication port-control auto
ALL traffic except EAPoL is dropped
One Physical Port ->Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)
Before Authentication
?
USER
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 23
Default Security with 802.1X
User/Device is Known Identity-based Access Control
• Single MAC per port
Looks the same as
without 802.1X
Authenticated User: Sally
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator
Default authorisation is on or off. Dynamic VLANs or ACLs can be used to customise the user experience.
?
After Authentication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 24
Default Security: Consequences
Default 802.1x Challenge
Devices without supplicants Can’t send EAPoL
No EAPoL = No Access
Offline
No EAPoL / No Access
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator
One Physical Port ->Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 25
Default Security: More Consequences
Assumed to Be Malicious
• Hubs, Gratuitous ARPs, VMWare
VM
interface fastEthernet 3/48
authentication port-control auto
dot1x pae authenticator Multiple MACs on Port
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 26
Deployment Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 27
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorisation
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 28
Handling Non-802.1X Clients & Guests
Authenticate via less-secure method
–MAC Authentication Bypass (MAB)
–Web Auth (client must have browser)
Give them limited access after timeout and no response
–Guest VLAN
Allow WLAN access instead of wired
–WLAN is a great way to do guest access if available
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 29
Endpoint Host Dot1x/Guest VLAN
00.0a.95.7f.de.04
EAP-Identity-Request Link up1
EAP-Identity-Request 2EAP-Identity-Request 3
0:000:010:050:100:200:30
0:000:010:050:100:200:30
0:000:010:050:100:200:30
Timeout
Timeout
Timeout
No Response
No Response
No Response
Catalyst Switch
• Any 802.1X-enabled switchport will send EAPOL-Identity-Request frames on the wire
(whether a supplicant is there or not)
• A device is only deployed into the guest VLAN based on the lack of response to the switch’s
EAP-Request-Identity frames (which can be thought of as 802.1X hellos)
• No further security or authentication to be applied. It’s as if the administrator de-configured
802.1X (i.e. multi-host), and hard-set the port into the specified VLAN
• 90 Seconds is greater than MSFT DHCP timeout
802.1X with Guest VLAN
interface GigabitEthernet 1/1
authentication event no-response action authorize vlan 50
Port ―Authorised‖ into
the Guest VLAN4
EAP-Success
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 30
Endpoint Host Dot1x/MAB
00.0a.95.7f.de.06
EAP-Identity-Request
Fallback to MAB
Learn MAC
RADIUS
RADIUS-Access
Request: 00.0a.95.7f.de.06
RADIUS-Access Accept
Link up 1
4
EAP-Identity-Request 2
EAP-Identity-Request 3
5
6
7
0:000:010:050:100:200:30
0:000:010:050:100:200:30
0:000:010:050:100:200:30
Timeout
Timeout
Timeout
No Response
No Response
No Response
Catalyst Switch ACS 5.0
Note1: The default timeout & retransmits are 30 seconds 3 attempts. These can be tweaked.
Note2: With Low Impact Mode, you can allow the endpoint to process DHCP before authentication, to alleviate DHCP timeouts.
Note3: The authorisations available to endpoints include VLAN and/or ACLs
MAC Authentication Bypass (MAB)
interface GigabitEthernet 1/1
mab
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 31
MAB Limitations & Challenges
• MAB requires creating and maintaining MAC database
• Default 802.1X timeout = 90 seconds
– 90 sec > default MSFT DHCP timeout
– 90 sec > default PXE timeout
Current Workaround: Timer tuning (always requires testing)
•max-reauth-req: maximum number of times (default: 2) that the switch retransmits an EAP-Identity-Request frame on the wire
•tx-period: number of seconds (default: 30) that the switch waits for a response to an EAP-Identity-Request frame before retransmitting
•802.1X Timeout == (max-reauth-req + 1) * tx-period
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 33
Endpoint Host Dot1x/MAB
00.0a.95.7f.de.06
EAP-Identity-Request
Fallback to MAB
Learn MAC
RADIUS
RADIUS-Access
Request: 00.0a.95.7f.de.06
RADIUS-Access Accept
Link up 1
4
EAP-Identity-Request 2
EAP-Identity-Request 3
5
6
7
0:000:010:050:100:200:30
0:000:010:050:100:200:30
0:000:010:050:100:200:30
Timeout
Timeout
Timeout
No Response
No Response
No Response
LDAP
LDAP Query
Request: 00.0a.95.7f.de.06
LDAP-Access Accept
Catalyst Switch ACS 5.0 NAC Profiler
Note1: The default timeout & retransmits are 30 seconds 3 attempts. These can be tweaked.
Note2: With Low Impact Mode, you can allow the Endpoint to process DHCP before authentication, to alleviate DHCP timeouts.
Note3: The authorisations available to endpoints include VLAN and/or ACLs
MAB + LDAP/Profiler
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 34
Switch
DHCP/DNS AAA Server
Web Authentication for non-802.1X User―Flex Auth‖:
Multiple TriggersSingle Port Config
•802.1X Timeout
•802.1X Failure
•MAB Failure
1
Port Enabled, ACL
Applied2
Host Acquires IP Address, Triggers Session State3
Host Opens Browser
Login Page
Host Sends Password
4
Switch Queries AAA Server
AAA Server Returns Policy
Server
authorises
user5
Switch Applies New ACL Policy 6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 35
802.1X with Web-AuthDeployment Considerations
Web-Auth is only for users (not devices)
• browser required
• manual entry of username/password
Web-Auth can be a fallback from 802.1X or MAB.
Web-Auth and Guest VLAN* are mutually exclusive
Web-Auth supports ACL authorisation only
Web-Auth behind an IP Phone requires Multi-Domain Authentication* (MDA)
* To be discussed in later sections
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 38
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorisation
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 39
802.1X Client Without Valid CredentialAuthentication Failures
* Note: EAPOL-Starts are optional, possibility of EAP-NAK left out intentionally, and EAP exchange dependent on method.
• This works great in preventing rogue access to a network!
• This is a primary reason Enterprises look to deploy 802.1X/Identity Networking!
• This is also the problem! (How should we provide access to devices that fail?)
EAPoL Start
EAPoL Response Identity
EAPoL Request Identity
RADIUS Access Request
EAP FailureRADIUS Access Reject
Port is never granting access
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 41
Why Provide Access to Devices that Fail?
Employees’ credentials expire or entered incorrectly
As 802.1X becomes more prevalent, more guests will fail auth because they have 802.1X enabled by default.
Many enterprises require guests and failed corporate assets get conditional access to the network.
–Re-provision credentials through a web proxy or VPN Tunnel
–Provide guest access through VLAN assignment or web proxy
802.1XCertificate Expired!
802.1X
User Unknown!
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 42
Failed Auth: Solution 1Auth-Fail VLAN
EAPoL Start
EAPoL Response Identity
EAPoL Request Identity
RADIUS Access Request
EAP Failure RADIUS Access Reject
EAPoL Response Identity
EAPoL Request Identity
RADIUS Access Request
EAP Failure RADIUS Access Reject
EAPoL Response Identity
EAPoL Request Identity
RADIUS Access Request
“EAP Success” RADIUS Access Reject
interface GigabitE 3/13
authentication port-control auto
authentication event fail action authorize vlan 51
Port is now granted access
On the ―third‖ consecutive failure, the port is enabled and an EAPOL-Success is transmitted
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 43
802.1X with Auth-Fail VLANDeployment Considerations
1. Supplicant cannot exit the Auth-Fail VLAN
• Only alternatives: switch-initiated re-authentication or port bounce
2. No Secondary Authentication Mechanism.
3. Auth-Fail VLAN, like Guest VLAN, is a switch-local authorisation -> centralised policy on AAA server is not enforced
4. Switch and AAA server have conflicting views of network
Auth-fail VLAN
Access Granted Access Denied
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 44
Failed Auth: Solution 2FlexAuth: Next-Method
EAPoL Start
EAPoL Response Identity
EAPoL Request Identity
RADIUS Access Request
Next Method MAB
RADIUS Access Reject
Learn MAC Address
RADIUS Access Request (MAC Addr)
Port EnabledRADIUS Access Accept
interface GigabitE 3/13
authentication port-control auto
authentication order dot1x mab
mab
authentication event fail action next-method
Port is now granted access based on MAB authorisation
On 802.1X failure, the port continues to the next authentication method (MAB)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 45
802.1X with Next-Method MABDeployment Considerations
1.MAC Database required
1.Policy decision: – should 802.1X-capable devices get same access level if they authenticate via
MAB after failing 802.1X?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 46
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorisation
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 47
RADIUS Availability
• Switch detects AAA unavailable by one of two methods
1. Failure to respond to AAA request
2. Periodic probe
EAPOL-Start
EAP-Success
VPN Tunnel
WAN/Internet
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 48
X
The Problem — RADIUS Unavailable
1
X
2
Port is not
granting access
EAP-Identity-Exchange
RADIUS-Access-Request
EAPOL-Failure 3
Client Switch RADIUS
RADIUS-Access-Request
RADIUS-Access-Request
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 49
X
Inaccessible Authentication Bypass (aka Critical Auth)
1 2
Port
authorised
into specified
VLAN
EAP-Identity-Exchange RADIUS-Access-Request
Critical-VLAN 3
Client Switch RADIUS
RADIUS-Access-Request
RADIUS-Access-Request
�✥
EAP-Identity-Exchange
RADIUS Server becomes available againImmediate Re-initialisation of 802.1X state machine
AUTH EXCHANGE w/ AAA Server
Authentication Successful/RejectedEAP-Success/Failure
Port
authorised
per Dynamic
Authorisation
Policy
IOS
dot1x critical recovery delay 100
radius-server host x.x.x.x test username [username]
radius-server dead-criteria 15 tries 3
Interface GigabitEthernet 1/0/1
dot1x critical
authentication event server dead action authorize vlan 100
authentication event server alive action reinitialize
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 50
IOS
dot1x critical recovery delay 100
radius-server host x.x.x.x test username [username]
radius-server dead-criteria 15 tries 3
Interface GigabitEthernet 1/0/1
dot1x critical
authentication event server dead action authorize vlan 100
authentication event server alive action reinitialize
Inaccessible Authentication Bypass
Port authorised
EAP-Success/Failure
EAP-Auth Exchange
EAP-Identity-Request
EAP-Success/Failure
EAP-Identity-Response
Auth Exchange w/AAA Server
Authentication Successful/Rejected
RADIUS Server comes back -> immediate reinitialise
802.1X State Machine
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 51
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorisation
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 52
Flexible Authentication Sequencing(Flex-Auth)
Flex-Auth fallback examples we’ve already seen:
– Configurable behaviour after 802.1X failure• authentication event failure action authorise vlan X• authentication event failure action next-method
– Configurable behaviour after 802.1X timeout• authentication event no-response action authorise vlan Y
– Configurable behaviour before & after AAA server dies• authentication event server dead action authorise vlan Z• authentication event server alive action reinitialise
Two more features complete Flex-Auth:• authentication order• authentication priority
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 53
Flex-Auth Sequencing
By default, the switch attempts
most secure auth method
first.802.1X
Timeout
802.1X
MAB
MAB fails
Guest VLAN
Timeout can mean
significant delay before
MAB.
MAB fails
MAB
802.1X
802.1X Timeout
Guest VLAN
Alternative order does
MAB on first packet from
device
Default Order: 802.1X First Flex-Auth Order: MAB First
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 54
Flex-Auth Order with Flex-Auth Priority
Default Priority: 802.1X ignored after successful MAB
MAB fails
MAB
802.1X
EAPoL-Start ReceivedM
AB
p
asse
s
Port Authorised by
MAB
Flex-Auth Priority: 802.1X starts despite successful MAB
Priority determines which method can preempt other methods.
By default, method sequence determines priority (first method has highest priority).
If MAB has priority, EAPoL-Starts will be ignored if MAB passes.
802.1X
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 55
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorisation
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 56
802.1X & IPT: A Special Case
Voice Ports
With Voice Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1X
An access port able to handle two VLANs
–Native or Port VLAN Identifier (PVID) / Authenticated by 802.1X
–Auxiliary or Voice VLAN Identifier (VVID) / ―Authenticated‖ by CDP
Hardware set to dot1q trunk
Tagged 802.1q
Untagged 802.3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 59
802.1X and Voice: Multi-Domain Authentication (MDA)
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
• MDA replaces CDP Bypass• Supports Cisco & 3rd Party Phones• Phones and PCs use 802.1X or MAB
Data
Two Domains Per Port
802.1q
Phone authenticates in Voice Domain,tags traffic in VVID
PC authenticates in Data Domain,untagged traffic in PVID
Single device per port Single device per domain per port
3K: 12.2(35)SEE
4K: 12.2(37)SG
6K: 12.2(33)SXI
IEEE 802.1X MDA
Voice
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 60
1) Phone learns VVID from CDP (Cisco phone)
2) 802.1X times out
3) Switch initiates MAB
4) ACS returns Access-Accept with Phone VSA.
5) Phone traffic allowed on either VLAN until it sends tagged packet, then only voice VLAN
6) (Asynchronous) PC authenticates using 802.1X or MAB
• PC traffic allowed on data VLAN only
MDA for Any IP Phone
1
23 Access-Request: Phone MAC
Access-Accept: Phone VSA
CDP
EAP
interface GigE 1/0/5
authentication host-mode multi-domain
authentication port-control auto
dot1x pae authenticator
mab
4EAP
5
No Supplicant on Phone
SSC
6
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 61
MDA in Action
ID-6500a#sho authentication session int g 7/1
Interface: GigabitEthernet7/1
MAC Address: 000f.2322.d9a2
IP Address: 10.6.110.2
User-Name: 00-0F-23-22-D9-A2
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Posture Token: Unknown
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A00645A0000000102124450
Acct Session ID: 0x00000007
Handle: 0x1D000001
--snip--
Interface: GigabitEthernet7/1
MAC Address: 000d.60fc.8bf5
IP Address: 10.6.80.2
User-Name: host/beta-supp
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Posture Token: Healthy
Authorized By: Authentication Server
Vlan Policy: 80
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A00645A000000020213FF9C
Acct Session ID: 0x00000008
Handle: 0x6E000002
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Either 802.1X or MAB for phone
Any combination of 802.1X, MAB, Guest-VLAN, Auth-Fail-VLAN, IAB for PC
PC Authenticated by 802.1X
Phone authenticated by MAB
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 64
IPT & 802.1X: The Link-State Problem
64
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3A
B
Port authorised for 0011.2233.4455 only
Security ViolationS:0011.2233.4455
S:6677.8899.AABB
1) Legitimate users cause security violation
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3A
Security HoleS:0011.2233.4455
S:0011.2233.4455
2) Hackers can spoof MAC to gain access without authenticating
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 65
EAPol-Logoff
Previous Solution: Proxy EAPoL-Logoff
65
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3SSC
Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORISEDAuthentication Method = Dot1x
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATAPort Status = UNAUTHORISED
A
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
SSC
Domain = DATASupplicant = 6677.8899.AABBPort Status = AUTHORISEDAuthentication Method = Dot1x
B
Caveats:• Only for 802.1X devices
behind phone
Requires:Logoff-capable Phones
Session cleared immediately by proxy
EAPoL-Logoff
PC-A Unplugs
PC-B Plugs In
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 66
Previous Solution: MAB Inactivity Timeout
66
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORISEDAuthentication Method = MAB
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATAPort Status = UNAUTHORISED
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORISEDAuthentication Method = MAB
Vulnerable to security violation and/or hole
Device Unplugs
Inactivity Timer Expires
Session cleared. Vulnerability closed.
interface GigE 1/0/5switchport mode accessswitchport access vlan 2switchport voice vlan 12authentication host-mode multi-domainauthentication port-control autoauthentication timer inactivity 300mab
Caveats:Quiet devices may have to re-auth; network access denied until re-auth completes.Still a window of vulnerability.
3K:12.2(35)SE
4K: 12.2(50)SG
6K: 12.2(33)SXI
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 67
NEW Solution: CDP 2nd Port Notification
CDP Link Down
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATASupplicant = 0011.2233.4455Port Status = AUTHORISEDAuthentication Method = MAB
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Domain = DATAPort Status = UNAUTHORISED
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
SSC
Domain = DATASupplicant = 6677.8899.AABBPort Status = AUTHORISEDAuthentication Method = Dot1x
Phone sends link down TLV to switch.
Device A Unplugs
Device B Plugs In
Link status msg addresses root cause
Session cleared immediately.
Works for MAB and 802.1X
Nothing to configure
IP Phone: 8.4(1)
3K: 12.2(50)SE (Q2CY09)
4K: 12.2(50)SG
6K: 12.2(33)SXI
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 70
Modifying Default Security with 802.1XMulti-Auth Mode
Each MAC authenticated
• 802.1X or MAB
Multiple MACs on Port
interface fastEthernet 3/48
authentication port-control auto
authentication host-mode multi-auth
VM • No VLAN Assignment Supported• Superset of MDA with multiple Data Devices per port
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 72
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorisation
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 73
Authorisation
Authorisation is the embodiment of the ability to enforce policies on identities
Typically policies are applied using a group methodology—allows for easier manageability
The goal is to take the notion of group management and policies into the network
Types of Authorisation:
–Default: Closed until authenticated.
–Dynamic: VLAN assignment, ACL assignment
–Local: Guest VLAN, Auth-fail VLAN, Critical Auth VLAN
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 74
Open Mode (No Restrictions)
Changing the Default Authorisation:―Open Access‖
interface GigabitE 3/13
authentication port-control auto
authentication open
mab
Authentication Performed No Access Control
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 75
Open Access Application 1: Monitor Mode
RADIUS accounting logs provide visibility:• Passed/Failed 802.1X/EAP attempts
• List of valid 802.1X capable• List of non-802.1X capable
• Passed/Failed MAB attempts• List of Valid MACs• List of Invalid or unknown MACs
TO DO Before implementing access control:•Confirm that all these should be on network•Install supplicants on X, Y, Z clients•Upgrade credentials on failed 802.1X clients•Update MAC database with failed MABs…
Monitor the network, see who’s on, address future connectivity problems by installing supplicants and credentials, creating MAB database
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 76
Selectively Open Access
Open Mode (Pinhole) On Specific TCP/UDP Ports Restrict to Specific Addresses
EAP Allowed (Controlled Port) Download general-access ACL upon authentication
Block General Access Until Successful 802.1X, MAB or
WebAuth
Pinhole explicit tcp/udp ports to allow desired access
Open Mode Application 2: Selectively Open Mode (aka Low Impact Mode)
interface GigabitE 3/13
authentication port-control auto
authentication open
ip access-group UNAUTH in
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 77
ANYANY
(Before Authentication)Switch#show tcam interface g1/13 acl in ip
permit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any
Catalyst 6500802.1X
Ethernet Port
Wired EthernetEnd Points
EAPEAP
DHCPDNS
DHCPDNS
PXEPXE
ACS/AAA
DHCPDNS
PXEServer
SampleOpen Mode Configs
Slide Source: Ken Hook
interface range gigE 1/0/1 - 24switchport access vlan 30switchport voice vlan 31ip access-group PRE-AUTH inauthentication host-mode multi-domainauthentication openauthentication port-control automab
10.100.10.116
10.100.10.117
ip access-list extended PRE-AUTHpermit tcp any any establishedpermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftp
(After Authentication)Switch#show tcam interface g1/13 acl in ip
permit ip host 10.100.60.200 anypermit tcp any any established match-anypermit udp any any eq bootpspermit udp any host 10.100.10.116 eq domainpermit udp any host 10.100.10.117 eq tftpdeny ip any any
IP: 10.100.60.200
Open Mode with Dynamic ACLs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 78
Dynamic Authorisation:VLAN Assignment
Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication
VLANs assigned by name—allows for more flexible VLAN management
Tunnel attributes used to send back VLAN configuration information to authenticator
Tunnel attributes are defined by RFC 2868
Usage for VLANs is specified in the 802.1X standard
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 79
802.1X with VLAN Assignment
[64] Tunnel-type—―VLAN‖ (13)
[65] Tunnel-medium-type—―802‖ (6)
[81] Tunnel-private-group-ID—<VLAN name>
VLAN name must match switch configuration
Mismatch results in authentication failure
Marketing
aaa authorization network default group radius
AV Pairs Used—All Are IETF Standard
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 81
URL Redirect
Requires HTTP on the switch
Does not ―authenticate‖ via the web native to the switch
Mainly used for custom notification at this time
Future integration with other Cisco products
Authentication ProcessRADIUS
Client
Web Page
User Initiates Web Connection3
RADIUS authorises port with URL redirect2
802.1X/MAC Authentication 1
Switch Port Redirects to Web Page
4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 82
Authorisation Recommendations
All Authorisation (VLAN, dACL, etc.) is completely optional
Only use it if you have to separate users due to a business requirement
Most enterprises do not have this requirement for known users
Leave the port in its default VLAN or assign the VLAN during machine authentication if possible
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 83
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorisation
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 84
802.1X Authentication Database
Where is the single source of authentication credentials for the enterprise?
Do you have to build new or extend trust between databases?
Some enterprises could not use Active Directory (AD) or other Network Operating System (NOS) user/machine authentication databases
EAP Method may have requirements of the Authentication Database. For example, if MS-CHAPv2 is required for password authentication.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 85
Supplicant Considerations
Microsoft Windows
–User and machine authentication
–DHCP request time out
–Machine authentication restriction
–Default methods: MD5, PEAP, EAP-TLS
Unix/Linux considerations
–Open source: xsupplicant Project (University of Utah)
–Available from http://www.open1x.org
–Supports EAP-MD5, EAP-TLS,
–PEAP/MSCHAPv2, PEAP/EAP-GTC
Native Apple supplicant support in OS X 10.3
–802.1X is turned off by default!
–Default parameters—TTLS, LEAP, PEAP, MD5, FAST supported
–Support for airport and wired interfaces
–In 10.5 Single sign on (SSO) can be accomplished for system or user. Not both at the same time
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 86
Features
Robust Profile Management
Support for industry standards
Endpoint integrity
Single sign-on capable
Enabling of group policies
Administrative control
Benefits
Simple, secure device connectivity
Minimises chances of network compromise from
infected devices
Reduces complexity
Restricts unauthorised network access
Centralised provisioning
Secure Services Client
Cisco Secure Services Client (SSC)
Introduces features over and above the native supplicants
–EAP types
–Management Interfaces
–Automatic VPN initiation
SSC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 87
Cisco AnyConnect 3.0 Client
Unified Cisco Client
802.1X Supplicant
VPN Client
Plus more
Introduces features over and above the native supplicants
– EAP types
– Management Interfaces
– Automatic VPN initiation
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 88
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorisation
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 89
Windows Boot Cycle Overview
Power On
Kernel LoadingWindows HAL LoadingDevice Driver Loading
Obtain Network Address(Static, DHCP)
Determine Site and DC(DNS, LDAP)
Establish SecureChannel to AD
(LDAP, SMB)
Kerberos Authentication(Machine Account)
Computer GPOs Loading (Async)
GPO based StartupScript Execution
Certificate Auto EnrollmentTime SynchronisationDynamic DNS Update
GINA
Components that depend on network connectivity
Kerberos Auth(User Account)
User GPOs Loading(Async)
GPO based LogonScript Execution (SMB)
Inherent Assumption of Network Connectivity
Earliest Network Connectivity with User Auth Only
X X X X X X X
Components broken with 802.1X user authentication only
X
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 90
Problem 1: Microsoft Issues with DHCP
With wired interfaces a successful 802.1X authentication does not force an DHCP address discovery (no media-connect signal)
DHCP starts once interface comes up
If 802.1X authentication takes too long, DHCP may time out
Power Up Load NDIS Drivers
DHCPSetup Secure
Channel to DC
Present GINA (Ctrl-Alt-Del) Login
DHCP—Timeout at 62 Seconds
802.1X Auth—Variable Timeout
DHCP Is a Parallel Event, Independent of 802.1X Authentication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 91
Problem 2: Machine GPOs Broken
What Is a Group Policy?
Group policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computer within an Active Directory environment
Types of Group Policy
–Registry-based policy
–Security options
–Software installation and maintenance options
–Scripts options
–Folder redirection options
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 92
The Solution: Machine Authentication
What is machine authentication?
–The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session
What is it used for?
–Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies
Why do we care?
–Pre-802.1X this worked under the assumption that network connectivity was a given; post-802.1X the blocking of network access prior to 802.1X authentication breaks DHCP & machine-based group policy model—UNLESS the machine can authenticate using its own identity in 802.1X
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 95
802.1X VLAN assignmentProblem 1: DHCP Renewal
When using dynamic VLAN assignment with user & machine authentication, the host’s VLAN can change when user logs in.
– IP address may need to change also
Supplicant behaviour has been addressed by Microsoft
– Windows XP: install service pack 1a + KB 826942
– Windows 2000: install service pack 4
– Needed for VLAN assignment with Wireless Zero Config
Updated supplicants trigger DHCP IP address renewal
– Successful authentication causes client to ping default gateway (three times) with a sub-second timeout
– Lack of echo reply will trigger a DHCP IP renew
– Successful echo reply will leave IP as is
– Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 96
DHCP and 802.1X Windows XP: Install Service Pack 1a + KB 826942Windows 2000: Install Service Pack 4
At This Point, DHCP Proceeds Normally
Forward Credentials to ACS Server
Accept
Authentication ServerAuthenticatorSupplicant
Login Req.
Send Credentials
ICMP Echo (x3) for Default GW from ―Old IP‖ as Soon as
EAP-Success Frame Is Rcvd
DHCP-Request (D=255.255.255.255)(After Pings Have Gone Unanswered)
DHCP-Discover (D=255.255.255.255)
Auth Successful (EAP—Success)
VLAN Assignment
DHCP-NAK (Wrong Subnet)
For YourReference
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 97
Machine VLAN
Problem 2: ―Real‖ Boot Sequence & VLAN Assignment
Power On
Kernel LoadingWindows HAL LoadingDevice Driver Loading
Obtain Network Address(Static, DHCP)
Determine Site and DC(DNS, LDAP)
Establish SecureChannel to AD(LDAP, SMB)
Kerberos Authentication(Machine Account)
Computer GPOs Loading (Async)
GPO based StartupScript Execution
Certificate Auto EnrollmentTime SynchronisationDynamic DNS Update
Kerberos Auth(User Account)
User GPOs Loading(Async)
802.1X Machine Auth
GINA
802.1X User Auth
Start of 802.1X auth may vary among supplicants Components that are in race condition with 802.1X Auth
GPO based LogonScript Execution (SMB)
GINA
User VLAN
X X X
Fast Logon Optimisation
X X X
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 98
Problem 3 : VLAN Assignment and GPOs
Power On
Kernel LoadingWindows HAL LoadingDevice Driver Loading
Obtain Network Address(Static, DHCP)
Determine Site and DC(DNS, LDAP)
Establish SecureChannel to AD
(LDAP, SMB)
Kerberos Authentication(Machine Account)
Computer GPOs Loading (Async)
GPO based StartupScript Execution
Certificate Auto EnrollmentTime SynchronisationDynamic DNS Update
Kerberos Auth(User Account)
User GPOs Loading(Async)
802.1X Machine Auth
GINA
802.1X User Auth
Start of 802.1X auth may vary among supplicants
Components that are in race condition with 802.1X Auth
GPO based LogonScript Execution (SMB)
VLAN1 –10.1.1.1
VLAN2 –99.1.1.1
√
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 99
Vista SP1/Windows 2008 and XP SP3
If the supplicants fail 802.1X authentication once the supplicant goes down for twenty minutes before it tries again
–Vista SP1/Windows 2008 - KB957931 http://support.microsoft.com/kb/957931
–XP SP3 – KB coming soon
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 100
802.1X and Windows Recommendations Machine Authentication is mandatory for managed environments
Consider machine authentication only
–Manage auth behaviour on XP SP2/2000 via registry keys
–http://support.microsoft.com/kb/309448/en-us
–http://www.microsoft.com/technet/network/wifi/wififaq.mspx
–Manage XP SP3/Vista Supplicant through XML
–http://support.microsoft.com/kb/929847
Use the automatic provisioning built into AD if possible
–Machines are provisioned automatically with a machine password
–Can have certificates automatically provisioned via AD GPOs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 101
VLANs and Windows: Recommendations
When using Dynamic VLANs:
–Disable Fast Logon Optimisation
–Use the same VLAN for machine and user authorisation
–VLAN assignment requires AD, DHCP server, and network switch changes (planning, routing, trunking, etc.)
Access Control Lists (ACLs) are a policy enforcement alternative to VLANs. Beware of TCAM implications: the number of ACEs on L3 switch is limited.
ACL per port can be assigned by RADIUS server per group.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 102
802.1X Deployment Considerations
Non-802.1X Clients & Guests
Failed Access Handling
RADIUS Availability
Flexible Authentication Sequencing
Multiple Devices Per Port
Authorisation
Authentication and Endpoint Considerations
802.1X and Microsoft Windows
Other Considerations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 103
Remote Desktop XP: Microsoft Remote Desktop logs off the local user
and drops the machine into machine mode which results in a machine auth.
Vista: Leaves the local user logged onto the system, so it does not trigger an 802.1X auth.
If machine authentication and user authentication result in the same VLAN then there are no problems
If machine authentication puts the machine in a different VLAN, then user authentication must be maintained despite Windows logging the user off.
SSC on XP provides the above solution
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 105
Pre eXecution boot Environment (PXE) -Default Security Impact
interface fastEthernet 3/48authentication port-control auto
ALL traffic except EAPoL is dropped
One Physical Port ->Two Virtual portsUncontrolled port (EAPoL only)Controlled port (everything else)
PXE BIOS
PXE BIOS needs network access within 60 seconds of link-up to download bootable OS
Most PXE implementations do not support 802.1X.
No 802.1X = No network access = No OS download.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 106
Client Dot1x/MAB
00.0a.95.7f.de.06
EAPOL-TimeoutInitiate MAB 10-seconds
Learn MAC Variable?
RADIUS
RADIUS-AccessRequest: 00.0a.95.7f.de.06
RADIUS-Access AcceptPort Enabled√
PXE Solution 1MAC Authentication Bypass (MAB) *
interface GigabitE 3/13authentication port-control autodot1x timeout tx-period 10mab
PXE BIOS
* - exact packet sequence will vary
EAPOL-Request (Identity) Upon link upX
X EAPOL-Request (Identity) 10-seconds
EAPOL-Request (Identity) 10-secondsX
DHCP Discover 3 X
DHCP Discover 2 X
DHCP Discover 1 X
DHCP Discover 4 √
PXE Continues
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 107
Selectively Open Access
Open Mode (Pinhole) On Specific TCP/UDP Ports for PXE Restrict to Specific Addresses
EAP Allowed (Controlled Port) Download general-access ACL upon authentication
Block General Access Until Successful MAB
Pinhole explicit tcp/udp ports to allow desired access
PXE Solution 2:Open Mode with Interface ACL
interface GigabitE 3/13
authentication port-control auto
authentication open
ip access-group UNAUTH in
PXE BIOS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 108
Selectively Open Access Outbound
802.1X controls port traffic in BOTH directions Use WOL support on switch to allow outbound
(from switch) traffic to wake up device
Default - Block Outbound Traffic Until Successful 802.1X/MAB
Allow outbound traffic
Wake On LAN (WOL) and 802.1X
interface GigabitE 3/13
authentication port-control auto
authentication control-direction in
WOL Capable Device
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 110
Monitoring & Troubleshooting
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 111
802.1X Monitoring and Trouble Shooting
Major components to 802.1X monitoring
–RADIUS accounting
–NAD logs
–RADIUS logs
–NAD CLI
–SNMP on NAD
Major components of 802.1X Troubleshooting
–Correlated log reports ACS View
–Third party log analysis and reporting
–SNMP on NAP
–NAD CLI
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 112
802.1X with RADIUS Accounting
Supplicant 802.1X Process1 Authenticate
2 Access-Accept
RADIUS Process
2 EAPOL-Success
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 113
802.1X with RADIUS Accounting
Accounting-request packets
Contains one or more AV pairs to report various events and related information to the RADIUS server
Tracking user-level events are used in the same mechanism
Supplicant 802.1X Process1 Authenticate
2 Access-Accept
3 Accounting Request
RADIUS Process
2 EAPOL-Success
4 Accounting Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 114
802.1X with RADIUS Accounting
Similar to other accounting and tracking mechanisms that already exist using RADIUS
–Can now be done through 802.1X
Increases network session awareness
Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc.
Provides a means to map the information of authenticated
IOS
aaa accounting dot1x default start-stop group radius
Identity, Port, MAC, Switch
IP, Port, MAC, Switch=
Switch + Port = Location
Identity IP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 115
Troubleshooting: Identify Points of Failure
It is important to understand the failure point in the picture
It is important to understand which issue causes what failures
In most case, description of the issue symptom can be vague or misleading and you must correlate separate pieces of information for problem resolution.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 116
ACS View 5.0 RADIUS Authentication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 117
ACS View 5.0 Authentications Details
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 118
802.1X Port ConfigID-6500a#sho authentication session interface gigabitEthernet 7/1
Interface: GigabitEthernet7/1
MAC Address: 000f.2322.d9a2
IP Address: 10.6.110.2
User-Name: 00-0F-23-22-D9-A2
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Posture Token: Unknown
Authorized By: Authentication Server
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A00645A00000007000E37CC
Acct Session ID: 0x00000009
Handle: 0x0E000007
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
----------------------------------------
Interface: GigabitEthernet7/1
MAC Address: 000d.60fc.8bf5
IP Address: 10.6.50.2
User-Name: nac\darrimil
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Posture Token: Healthy
Authorized By: Authentication Server
Vlan Policy: 50
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A00645A0000000D0030B498
Acct Session ID: 0x00000011
Handle: 0x1500000D
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
interface GigabitEthernet7/1
switchport
switchport mode access
switchport voice vlan 110
ip access-group default_acl in
authentication event fail action next-method
authentication host-mode multi-domain
authentication open
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
For YourReference
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 119
ACS 5.0
EAP Problem -Certificate Trust Issues One of the most common issues seen in deployment and pilots
ACS 4.2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 120
802.1X Authorisation Failure 1
In case that network authorisation is NOT ENABLED on a NAD
ACS Message Type: Authentication Successful
Authentication Failure Reason (AFR): There is no AFR associated with this error since authentication succeeds
User Experience: Balloon message ―Windows cannot connect you to the network (contact your network administrator)‖
aaa authorization network default group radiusFollowing CLI is missing
VLAN assignment succeeds but assigns port to VLAN 0
Session Timeout (Radius Attribute 27) is not assigned to port Reauthentication timer value
Consequently there is no VLAN 0, therefore default port VLAN is used for authorisation, and if there is no DHCP setup for this VLAN then client can’t obtain IP address.
Also Reauthentication Timer becomes 0. This means that there will be no reauthentication.
Supplicant might try to re-DHCP if it’s can’t get an IP address
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 121
802.1X Authorisation Failure 1ID-6500a#debug condition interface GigabitEthernet 7/1 ----------------New feature
ID-6500a#debug auth feature vlan_assign event
Auth Feature vlan_assign events debugging is on
*Dec 15 14:46:58.439: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1
*Dec 15 14:46:59.243: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1
*Dec 15 14:46:59.243: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1
*Dec 15 14:46:59.243: AUTH-FEAT-VLAN-ASSIGN-EVENT (Gi7/1): Successfully assigned VLAN 0
*Dec 15 14:46:59.751: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000d.60fc.8bf5) on Interface Gi7/1
ID-6500a#sho authentication sess interface g 7/1
Interface: GigabitEthernet7/1
MAC Address: 000d.60fc.8bf5
IP Address: 10.6.50.2
User-Name: nac\darrimil
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A00645A0000000E005DD8A8
Acct Session ID: 0x00000013
Handle: 0xF900000E
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 122
802.1X Authorisation Failure 2
• In case that invalid Radius attribute is sent via Radius Access-Accept
• ACS Message Type: Authen Successful
• AFR: There is no AFR associated with this error since authentication succeeds
• User Experience: Balloon message ―Windows cannot connect you to the network (contact your network administrator)‖
Radius Access-Accept with invalid Radius Attribute 81 is sent
Basic rule is that 81 attribute needs to be either ―string‖ or ―integer‖. If String, it needs to match the VLAN name that exists on switch. If Integer then it needs match the VLAN ID that exists on switch
Passed Authentication reports authentication is successful
Authorisation failure on switch is NEVER reported back to ACS.
*Dec 15 15:03:21.007: %AUTHMGR-5-START: Starting 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1*Dec 15 15:03:21.911: %DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN BadVLAN to 802.1x port GigabitEthernet7/1*Dec 15 15:03:21.911: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 123
802.1X Authorisation Failure 3
*Aug 26 13:44:29.991: %DOT1X-5-SUCCESS: Authentication successful for client (000d.60fc.8bf5) on Interface Gi7/1
*Aug 26 13:44:29.991: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (000d.60fc.8bf5) on Interface Gi7/1
*Aug 26 13:44:29.991: %EPM-6-POLICY_REQ: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|
EVENT=APPLY
*Aug 26 13:44:29.991: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 |
EVENT=DOWNLOAD-REQUEST
*Aug 26 13:44:30.003: %EPM-6-AAA: POLICY=xACSACLx-IP-phone-dACL-48a4f023 |
EVENT=DOWNLOAD-SUCCESS
*Aug 26 13:44:30.003: %EPM-4-POLICY_APP_FAILURE: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|
POLICY_TYPE=Named ACL| POLICY_NAME=xACSACLx-IP-phone-dACL-48a4f023|
RESULT=FAILURE| REASON=Interface ACL not configured
*Aug 26 13:44:30.003: %EPM-6-IPEVENT: IP=0.0.0.0| MAC=000d.60fc.8bf5| AUDITSESID=0A00645A000000140090E0A0| AUTHTYPE=DOT1X|
EVENT=IP-WAIT
*Aug 26 13:44:30.031: %AUTHMGR-5-FAIL: Authorization failed for client (000d.60fc.8bf5) on Interface Gi7/1
• In case that invalid Radius attribute is sent via Radius Access-Accept
• ACS Message Type: Authen Successful
• AFR: There is no AFR associated with this error since authentication succeeds
• User Experience: Balloon message ―Windows cannot connect you to the network (contact your network administrator)‖
For the Downloadable ACL feature is used there must be a interface ACL applied to the interface.
Passed Authentication reports authentication is successful
Authorisation failure on switch is NEVER reported back to ACS.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 124
Looking Forward
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 125
Overview of Cisco TrustSecCisco TrustSec (CTS) affects multiple areas of the network and comprises of
improvements in the following areas:
Confidentiality & Integrity
Centralised Role Based Access Control (RBAC) Policy Administration
1
2
3 Identification, Authentication and Authorisation for all networked entities, and classification into topology independent security groups
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 128
SGACL Enforcement (1)
RBACLs
Source Destination
4 S1+S2
7 S1
9 S2
User 1 has access to both servers
User 1
User 2
User 3
SGACL
7
9
4
SGACL
Cisco ACS ExternalDirectory Server
Server 1
Server 22
1
1. Security Group Tag is applied on ingress switch port
2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 129
SGACL Enforcement (2)User 1 has access to both servers
User 2 has access to Server 1
RBACLs
SGT DGT
4 S1+S2
7 S1
9 S2
User 1
User 2
User 3
SGACL
SGACL
7
9
4 1
Cisco ACS ExternalDirectory Server
Server 1
Server 22
1. Security Group Tag is applied on ingress switch port
2. Roles/Attribute-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 130
SGACL Enforcement (3)
RBACLs
SGT DGT
4 S1+S2
7 S1
9 S2
User 1
User 2
User 3
4
SGACL
7
9 SGACL
Cisco ACS ExternalDirectory Server
Server 1
Server 2
User 1 has access to both servers
User 2 has access to Server 1
User 3 – access to Server 1 denied
1
2
Access Denied to User 3
1. Security Group Tag is applied on ingress switch port
2. Role-based ACL policies is applied on security group tags (permit, deny, log, police, remark, span, redirect, …)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 131
Customer Case Studies
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 132
802.1X Deployment Case Study 1
Retailer required to only allow their assets to connect to the network due to lack of physical security
Selected 802.1X as the technical solution after evaluation
Primarily an MSFT desktop and server environment; small group of MAC OSX for designers
Approximately 14,000 ports at home office and remote stores
Cisco IP Telephony environment
Pervasive Wireless environment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 133
802.1X Deployment Case Study 1 (Cont.)
Selected Machine Authentication only for wired and wireless
Leveraged the automatic provisioning of machine certificates in Active Directory to provision the machine credentials (automatic user certificates also possible)
Manually provisioned non AD devices if possible
Failed authentication VLAN and unknown MAC addresses assigned to ―guest‖ VLAN on wired only at home office; no ―guest‖ VLAN at remote sites
No guest WLAN access
IAB used for AAA failures for remote office survivability
Multiple Supplicants; try to leverage native OS supplicant if possible
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 134
802.1X Deployment Case Study 1 (Cont.)
Lab Work
– IP Telephony handled by CDP exceptions
–PXE tested and handled via MAB
–Tested ―Guest VLAN‖ backhaul and Proxy for AUP
No Wake On LAN
Decided to handle credential re-provisioning via SSL VPN account triggered via help desk ticket
Bought 3rd party tool to build MAC address database
Extended SIM for reporting
Decided on access layer only deployment since Data Centre had physical security
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 135
802.1X Deployment Case Study 1 Methodology
Conducted POC with Network/Desktop Operations
Pre-production pilot with all of IT– Monitored Failed Authentications/Unknown MACs via group reports to monitor for supplicant configurations
issues and unknown devices
– Ran trend reports on IPT and PXE support calls to judge impact
Deployed supplicant configuration/credentials before switches
Deployed ―Internet‖ VLAN with appropriate backhaul to Internet Edge
Deployed 802.1X in ―monitor‖ mode on a per building basis– 802.1X, MAB, Unknown MAB, Failed VLAN all went to default
port VLAN
– Continued Trend reporting for other services
Deployed 802.1X ―guest enforcement‖
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 136
Case Study 2: 802.1X Implementation 802.1X facts and figures
4000 devices with 802.1x supplicant (Windows XP, SP2)
0 devices with MAB
96% dedicated PC, 4% shared PC for internet access
7500 ports with 802.1x activated
2 ACS Appliances for RADIUS
20 AD/Radius groups
650 VLANs
100 Meeting rooms with « wired only » Guest VLAN
More Information: CCS-1001 802.1X Case Study
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 137
Case Study 2: MBDA Group Structure
EADS BAE SYSTEMS FINMECCANICA
MBDA
37.5% 37.5% 25%
MBDA DEUTSCHLAND MBDA ITALIA
100%100%
MBDA UK
100% 100%
MBDA France
Integrated organisation
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 138
Summary
802.1X improves enterprise security
802.1X improves enterprise visibility
802.1X is a platform for other security initiatives
Supplicants are important
802.1X is deployable now
New features have significantly simplified deployment
802.1X is not only a network project, it affects the whole IT organisation
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 139
Q & A
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 140
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 142
Complete Your Online Session Evaluation
Complete your session evaluation:
Directly from your mobile device by visiting www.ciscoliveaustralia.com/mobile and login by entering your badge ID (located on the front of your badge)
Visit one of the Cisco Live internet stations located throughout the venue
Open a browser on your own computer to access the Cisco Live onsite portal
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2005 143
Meet The Expert
To make the most of your time at Cisco Live 2011, schedule a Face-to-Face Meeting with a top Cisco expert.
Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth of valuable insights and ideas.
Visit the Meeting Centre reception desk located in the World of Solutions